Snort 1.8p1, logging more information... how??

[Steve Williams <intsteve () genie96 com>]

Hi,

A complete newbie to Snort.  It's pretty a pretty amazing and scary!

I'm running OpenBSD 2.6, Snort 1.8p1

After reading the FAQ, I am starting snort with 
snort -Afull -ifxp2 -c snort.conf -D

and sniffing packets on the external interface of our firewall.  I have
installed & run SnortSnarf, and looking at the resulting web page, I'd
like to get more information than SnortSnarf is giving me.

For example, I am get alerts about (for example ) "WEB-MISC count.cgi
access".  I would like to see the exact URL that generated this alert,
but in the /var/log/snort/xxx directory, the file only has basic
information:

/var/log/snort/a.b.c.d/TCP:26934-80:

[**] WEB-MISC count.cgi access [**]
07/18-17:17:13.221647 a.b.c.d:26934 -> e.f.g.h:80
TCP TTL:127 TOS:0x0 ID:42567 IpLen:20 DgmLen:372 DF
***AP*** Seq: 0xA668B723  Ack: 0x3D36F0B3  Win: 0x4453  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

I'm getting hit with the IIS ISAPI as well, and would like to jump on
this kind of fast.

I would like to see more information from these packets.  Is it
something I put in the snort.conf file, or is it a command line
argument?  I'm a bit lost here.

Thanks for any assistance.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users