64
Chapter 2     Installing Snort and Getting Started
format and view it later on. In this case, snort logs all data to a single file in raw binary
form. A typical command for this type of log is :
snort  l /tmp  b
Snort will create a file in /tmp directory. A typical file name may be
snort.log.1037840339. The last part of the file name is dependent on the clock
on your machine. Each time you start Snort in this mode, a new file will be created in
the log directory. Sometimes this mode of logging data is also called a quick mode.
To view this raw binary data, you can use Snort. The  r command line switch is
used to specify a file name with Snort. The following command will display the cap 
tured data from file snort.log.1037840339.
snort  dev  r /tmp/snort.log.1037840339| more
The output of this command will show data in exactly the same way if you are
looking at it on the console in real time. You can use different switches to display differ 
ent levels of detail with this data.
You can also display a particular type of data from the log file. The following
command displays all TCP type data from the log file:
snort  dev  r / tmp/snort.log.1037840339 tcp 
Similarly, ICMP and UDP types of data can also be displayed.
You can also use the tcpdump program to read files generated by Snort when log 
ging in this mode. The following command reads the Snort files and displays captured
packets in the file:
[root@conformix snort]# tcpdump  r /tmp/snort.log.1037840514 
20:01:54.984286 192.168.1.100.2474 > 192.168.1.2.ssh: . ack 4119588794 
win 16960 (DF)
20:01:54.984407 192.168.1.2.ssh > 192.168.1.100.2474: P 81:161(80) ack 
0 win 32016 (DF) [tos 0x10] 
20:01:54.985428 192.168.1.2.ssh > 192.168.1.100.2474: P 161:241(80) ack 
0 win 32016 (DF) [tos 0x10] 
20:01:54.986325 192.168.1.2.ssh > 192.168.1.100.2474: P 241:321(80) ack 
0 win 32016 (DF) [tos 0x10] 
20:01:54.988508 192.168.1.100.2474 > 192.168.1.2.ssh: . ack 161 win 
16800 (DF)
20:01:54.988627 192.168.1.2.ssh > 192.168.1.100.2474: P 321:465(144) 
ack 0 win 32016 (DF) [tos 0x10] 
20:01:54.990771 192.168.1.100.2474 > 192.168.1.2.ssh: . ack 321 win 
16640 (DF)
20:01:55.117890 192.168.1.100.2474 > 192.168.1.2.ssh: . ack 465 win 
16496 (DF)
20:01:55.746665 192.168.1.1.1901 > 239.255.255.250.1900:  udp 269






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

toronto web hosting

 

Our partners: PHP: Hypertext Preprocessor Cheap Web Hosting JSP Web Hosting Ontario Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Java Hosting Cheapest Hosting

Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved