64


Chapter 2     Installing Snort and Getting Started


format and view it later on. In this case, snort logs all data to a single file in raw binary


form. A typical command for this type of log is :


snort  l /tmp  b


Snort will create a file in /tmp directory. A typical file name may be


snort.log.1037840339. The last part of the file name is dependent on the clock


on your machine. Each time you start Snort in this mode, a new file will be created in


the log directory. Sometimes this mode of logging data is also called a quick mode.


To view this raw binary data, you can use Snort. The  r command line switch is


used to specify a file name with Snort. The following command will display the cap 


tured data from file snort.log.1037840339.


snort  dev  r /tmp/snort.log.1037840339| more


The output of this command will show data in exactly the same way if you are


looking at it on the console in real time. You can use different switches to display differ 


ent levels of detail with this data.


You can also display a particular type of data from the log file. The following


command displays all TCP type data from the log file:


snort  dev  r / tmp/snort.log.1037840339 tcp 


Similarly, ICMP and UDP types of data can also be displayed.


You can also use the tcpdump program to read files generated by Snort when log 


ging in this mode. The following command reads the Snort files and displays captured


packets in the file:


[root@conformix snort]# tcpdump  r /tmp/snort.log.1037840514 


20:01:54.984286 192.168.1.100.2474 > 192.168.1.2.ssh: . ack 4119588794 


win 16960 (DF)


20:01:54.984407 192.168.1.2.ssh > 192.168.1.100.2474: P 81:161(80) ack 


0 win 32016 (DF) [tos 0x10] 


20:01:54.985428 192.168.1.2.ssh > 192.168.1.100.2474: P 161:241(80) ack 


0 win 32016 (DF) [tos 0x10] 


20:01:54.986325 192.168.1.2.ssh > 192.168.1.100.2474: P 241:321(80) ack 


0 win 32016 (DF) [tos 0x10] 


20:01:54.988508 192.168.1.100.2474 > 192.168.1.2.ssh: . ack 161 win 


16800 (DF)


20:01:54.988627 192.168.1.2.ssh > 192.168.1.100.2474: P 321:465(144) 


ack 0 win 32016 (DF) [tos 0x10] 


20:01:54.990771 192.168.1.100.2474 > 192.168.1.2.ssh: . ack 321 win 


16640 (DF)


20:01:55.117890 192.168.1.100.2474 > 192.168.1.2.ssh: . ack 465 win 


16496 (DF)


20:01:55.746665 192.168.1.1.1901 > 239.255.255.250.1900:  udp 269








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved