Snort mailing list archives
Re: SNORT Alert Messages
From: Russ via Snort-devel <snort-devel () lists snort org>
Date: Sat, 9 Jun 2018 22:36:25 -0400
For Snort 3: snort -A csv will get you output like this by default:05/28-08:07:32.663858, 1, TCP, raw, 40, C2S, 10.1.2.3:48620, 10.9.8.7:80, 1:1:0, allow
The second field is the packet number. On 6/9/18 9:05 PM, Y M via Snort-devel wrote:
Besides reviewing the pcap, you can also do the following: In Snort 2 > -A console:testIn Snort 3 > -A log_hext , this will get you closer but not what you are looking for. You can play with --lua "log_hext = { raw = true }", but I didn't get the output you are looking for.YM ------------------------------------------------------------------------*From:* Snort-devel <snort-devel-bounces () lists snort org> on behalf of Y M via Snort-devel <snort-devel () lists snort org>*Sent:* Sunday, June 10, 2018 3:21 AM *To:* snort-devel () lists snort org *Subject:* Re: [Snort-devel] SNORT Alert Messages Comments inline. ------------------------------------------------------------------------ > Hello again everyone,>I want to learn which alert belongs to which packet when SNORT prints alert messages. Is there any unique parameter that identifies packets?Such questions are better suited to the snort-user list. You will probably catch wider audience there.>For example, when I give a pcap file which includes more than 50.000 packets inside to SNORT, I want to see alert messages like that:>[some alert] - Packet ID: 125 >[some alert] - Packet ID: 200 >[some alert] - Packet ID: 1456 >. >. >. >[some alert] - Packet ID: 23500 Which Snort version are we talking about here?>If there not exist unique parameter for packets, how can I learn which alert belongs to which packet from alert messages ?By reviewing the packets via tcpdump/wireshark/tshark and correlating that to the detected rules? You can also chop your pcap to smaller chunks, which should make it easier.>Thanks. _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- SNORT Alert Messages İzzettin Erdem via Snort-devel (Jun 09)
- Re: SNORT Alert Messages Marcin Dulak via Snort-devel (Jun 09)
- Re: SNORT Alert Messages Russ via Snort-devel (Jun 09)
- <Possible follow-ups>
- SNORT Alert Messages İzzettin Erdem via Snort-devel (Jun 09)
- Re: SNORT Alert Messages Y M via Snort-devel (Jun 09)
- Re: SNORT Alert Messages Y M via Snort-devel (Jun 09)
- Re: SNORT Alert Messages Russ via Snort-devel (Jun 09)
- Re: SNORT Alert Messages Y M via Snort-devel (Jun 09)