Re: [Snort-users] session output

Thank you all. You' ve been most helpful.

~kmag

Erek Adams wrote:

>On Mon, 3 Nov 2003, Costas Magos wrote:
>
>[...snip...]
>
>
>
>>When not using the -h parameter, it seems that the IP addresses used as
>>directories, were from machines that *initiated* the sessions. This was
>>verified against the actual binary, using ethereal. This was true for
>>all sessions except for two IRC sessions, where the session file
>>indicated that a non-local IP from port 6667 initiated a connection
>>toward a local IP from port 6667 (that is, a server connecting to a
>>client...) and ethereal revealed exactly the opposite, the local IP
>>connecting to a remote IRC server. It is for this contradiction, I
>>opened this thread.
>>
>>
>
>If you don't use "-h <foo>", Snort should build the directory based on the
>'higher' port number "first", which usually should be the remote system.
>In the case where the ports are equal, Snort picks the 'higher' IP, IIRC.
>
>To be honest, you'll be _much_ better off logging to binary (pcap) and
>then if you need the packet broken down, rerun Snort over the pcap file
>and use the -h <foo> switch. Quick, simple, fast. And you've got your
>pcap to go back and reread the data from with a:
>
> snort -dvr <pcap_file> "host <foo>"
>
>Or whatever BPF filter you want to drop in.
>
>Cheers!
>
>-----
>Erek Adams
>
> "When things get weird, the weird turn pro." H.S. Thompson
>
>
>
>



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users