Snort mailing list archives
Re: Snort-devel Digest, Vol 13, Issue 9
From: İzzettin Erdem via Snort-devel <snort-devel () lists snort org>
Date: Mon, 11 Jun 2018 10:56:12 +0300
Hello Albert, Yes, I tried "sudo snort -A console:test -c /etc/snort/snort.conf" and the output of the command was like this: . . . 23 1 1333 0 23 1 251 0 23 1 123 0 24 1 111 0 24 1 122 0 24 1 1231 0 24 1 1052 0 . . I don't know the meanings of the columns, can you help me ? 2018-06-11 5:04 GMT+03:00 <snort-devel-request () lists snort org>:
Send Snort-devel mailing list submissions to snort-devel () lists snort org To subscribe or unsubscribe via the World Wide Web, visit https://lists.snort.org/mailman/listinfo/snort-devel or, via email, send a message with subject or body 'help' to snort-devel-request () lists snort org You can reach the person managing the list at snort-devel-owner () lists snort org When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-devel digest..." Today's Topics: 1. Re: Snort-devel Digest, Vol 13, Issue 7 (?zzettin Erdem) 2. Re: Snort-devel Digest, Vol 13, Issue 7 (Al Lewis (allewi)) ---------------------------------------------------------------------- Message: 1 Date: Mon, 11 Jun 2018 01:08:17 +0300 From: ?zzettin Erdem <root.mch () gmail com> To: snort-devel () lists snort org Subject: Re: [Snort-devel] Snort-devel Digest, Vol 13, Issue 7 Message-ID: <CAN_SLJWoEO2JL0yrkRDmccRgU2x1ZopAVCMW8ByGoHQdhvT1Pg@mail.gmail. com> Content-Type: text/plain; charset="utf-8" I am working on Snort 2.9.11, is there any way to learn which alert belongs to which packet ? 2018-06-10 19:00 GMT+03:00 <snort-devel-request () lists snort org>:Send Snort-devel mailing list submissions to snort-devel () lists snort org To subscribe or unsubscribe via the World Wide Web, visit https://lists.snort.org/mailman/listinfo/snort-devel or, via email, send a message with subject or body 'help' to snort-devel-request () lists snort org You can reach the person managing the list at snort-devel-owner () lists snort org When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-devel digest..." Today's Topics: 1. Re: SNORT Alert Messages (Russ) ---------------------------------------------------------------------- Message: 1 Date: Sat, 9 Jun 2018 22:36:25 -0400 From: Russ <rucombs () cisco com> To: snort-devel () lists snort org Subject: Re: [Snort-devel] SNORT Alert Messages Message-ID: <1631bb59-8caf-a0ce-55ab-0ea5b17448c8 () cisco com> Content-Type: text/plain; charset="windows-1252"; Format="flowed" For Snort 3:? snort -A csv will get you output like this by default: 05/28-08:07:32.663858, 1, TCP, raw, 40, C2S, 10.1.2.3:48620, 10.9.8.7:80, 1:1:0, allow The second field is the packet number. On 6/9/18 9:05 PM, Y M via Snort-devel wrote:Besides reviewing the pcap, you can also do the following: In Snort 2 > -A console:test In Snort 3 > -A log_hext , this will get you closer but not what you are looking for. You can play with?--lua "log_hext = { raw = true }", but I didn't get the output you are looking for. YM ------------------------------------------------------------------------*From:* Snort-devel <snort-devel-bounces () lists snort org> on behalf of Y M via Snort-devel <snort-devel () lists snort org> *Sent:* Sunday, June 10, 2018 3:21 AM *To:* snort-devel () lists snort org *Subject:* Re: [Snort-devel] SNORT Alert Messages Comments inline. ------------------------------------------------------------------------Hello again everyone,I want to learn which alert belongs to which packet when SNORT printsalert messages. Is there any unique parameter that identifies packets? Such questions are better suited to the snort-user list. You will probably?catch wider audience there.For example, when I give a pcap file which includes more than 50.000packets inside to SNORT, I want to see alert messages like that:[some alert] - Packet ID: 125 [some alert] - Packet ID: 200 [some alert] - Packet ID: 1456 . . . [some alert] - Packet ID: 23500Which Snort version are we talking about here?If there not exist unique parameter for packets, how can I learnwhich alert belongs to which packet from alert messages ? By reviewing the packets via tcpdump/wireshark/tshark and correlating that to the detected rules? You can also chop your pcap to smaller chunks, which should make it easier.Thanks._______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.snort.org/pipermail/snort-devel/ attachments/20180609/9d6dba1f/attachment-0001.html> ------------------------------ Subject: Digest Footer _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel ------------------------------ End of Snort-devel Digest, Vol 13, Issue 7 ******************************************-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.snort.org/pipermail/snort-devel/ attachments/20180611/9ac6e3e5/attachment-0001.html> ------------------------------ Message: 2 Date: Mon, 11 Jun 2018 02:04:18 +0000 From: "Al Lewis (allewi)" <allewi () cisco com> To: ?zzettin Erdem <root.mch () gmail com>, "snort-devel () lists snort org" <snort-devel () lists snort org> Subject: Re: [Snort-devel] Snort-devel Digest, Vol 13, Issue 7 Message-ID: <5091064E-B3EF-47C9-93DB-593951D83EBB () cisco com> Content-Type: text/plain; charset="utf-8" Hello, Have you tried using -Aconsole:test or -Acsv ? Albert Lewis ENGINEER.SOFTWARE ENGINEERING Cisco Systems Inc. Email: allewi () cisco com<mailto:allewi () cisco com> From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of ?zzettin Erdem via Snort-devel <snort-devel () lists snort org> Reply-To: ?zzettin Erdem <root.mch () gmail com> Date: Sunday, June 10, 2018 at 6:10 PM To: "snort-devel () lists snort org" <snort-devel () lists snort org> Subject: Re: [Snort-devel] Snort-devel Digest, Vol 13, Issue 7 I am working on Snort 2.9.11, is there any way to learn which alert belongs to which packet ? 2018-06-10 19:00 GMT+03:00 <snort-devel-request () lists snort org<mailto: snort-devel-request () lists snort org>>: Send Snort-devel mailing list submissions to snort-devel () lists snort org<mailto:snort-devel () lists snort org> To subscribe or unsubscribe via the World Wide Web, visit https://lists.snort.org/mailman/listinfo/snort-devel or, via email, send a message with subject or body 'help' to snort-devel-request () lists snort org<mailto:snort-devel- request () lists snort org> You can reach the person managing the list at snort-devel-owner () lists snort org<mailto:snort-devel-owner@ lists.snort.org> When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-devel digest..." Today's Topics: 1. Re: SNORT Alert Messages (Russ) ---------------------------------------------------------------------- Message: 1 Date: Sat, 9 Jun 2018 22:36:25 -0400 From: Russ <rucombs () cisco com<mailto:rucombs () cisco com>> To: snort-devel () lists snort org<mailto:snort-devel () lists snort org> Subject: Re: [Snort-devel] SNORT Alert Messages Message-ID: <1631bb59-8caf-a0ce-55ab-0ea5b17448c8 () cisco com<mailto: 1631bb59-8caf-a0ce-55ab-0ea5b17448c8 () cisco com>> Content-Type: text/plain; charset="windows-1252"; Format="flowed" For Snort 3:? snort -A csv will get you output like this by default: 05/28-08:07:32.663858, 1, TCP, raw, 40, C2S, 10.1.2.3:48620<http://10.1.2. 3:48620>, 10.9.8.7:80<http://10.9.8.7:80>, 1:1:0, allow The second field is the packet number. On 6/9/18 9:05 PM, Y M via Snort-devel wrote:Besides reviewing the pcap, you can also do the following: In Snort 2 > -A console:test In Snort 3 > -A log_hext , this will get you closer but not what you are looking for. You can play with?--lua "log_hext = { raw = true }", but I didn't get the output you are looking for. YM ------------------------------------------------------------------------ *From:* Snort-devel <snort-devel-bounces () lists snort org<mailto:snort-devel-bounces () lists snort org>> on behalf ofY M via Snort-devel <snort-devel () lists snort org<mailto:snort-devel () lists snort org>>*Sent:* Sunday, June 10, 2018 3:21 AM *To:* snort-devel () lists snort org<mailto:snort-devel () lists snort org> *Subject:* Re: [Snort-devel] SNORT Alert Messages Comments inline. ------------------------------------------------------------------------Hello again everyone,I want to learn which alert belongs to which packet when SNORT printsalert messages. Is there any unique parameter that identifies packets? Such questions are better suited to the snort-user list. You will probably?catch wider audience there.For example, when I give a pcap file which includes more than 50.000packets inside to SNORT, I want to see alert messages like that:[some alert] - Packet ID: 125 [some alert] - Packet ID: 200 [some alert] - Packet ID: 1456 . . . [some alert] - Packet ID: 23500Which Snort version are we talking about here?If there not exist unique parameter for packets, how can I learnwhich alert belongs to which packet from alert messages ? By reviewing the packets via tcpdump/wireshark/tshark and correlating that to the detected rules? You can also chop your pcap to smaller chunks, which should make it easier.Thanks._______________________________________________ Snort-devel mailing list Snort-devel () lists snort org<mailto:Snort-devel () lists snort org> https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.snort.org/pipermail/snort-devel/ attachments/20180609/9d6dba1f/attachment-0001.html> ------------------------------ Subject: Digest Footer _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org<mailto:Snort-devel () lists snort org> https://lists.snort.org/mailman/listinfo/snort-devel ------------------------------ End of Snort-devel Digest, Vol 13, Issue 7 ****************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.snort.org/pipermail/snort-devel/ attachments/20180611/1d3a0b26/attachment.html> ------------------------------ Subject: Digest Footer _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel ------------------------------ End of Snort-devel Digest, Vol 13, Issue 9 ******************************************
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Snort-devel Digest, Vol 13, Issue 9 İzzettin Erdem via Snort-devel (Jun 11)