Simple Snort Monitor
by J. Edward Durrett
This brings you to al alert summary which, depending on your environment of course, looks something like this:
177 [124:1:1] (smtp) Attempted command buffer overflow: more than 512 chars 175 [139:1:1] (spp_sdf) SDF Combination Alert 136 [1:2403378:3316] ET CINS Active Threat Intelligence Poor Reputation IP TCP group 40 115 [1:2403440:3316] ET CINS Active Threat Intelligence Poor Reputation IP TCP group 71 112 [129:5:1] Bad segment, adjusted size <= 0 111 [1:2402001:4345] ET DROP Dshield Block Listed Source group 1 77 [1:2002087:10] ET POLICY Inbound Frequent Emails - Possible Spambot Inbound
Requesting more detail through the d option lets you see more detail (I obfuscated the ips for this posting)
[**] [129:5:1] Bad segment, adjusted size <= 0 [**] [Classification: Potentially Bad Traffic] [Priority: 2] 03/06-19:18:53.219089 xxx.xxx.xxx.xxx:54017 -> xxx.xxx.xxx.xxx:443 TCP TTL:112 TOS:0x0 ID:2619 IpLen:20 DgmLen:41 DF ***A**** Seq: 0xD5BB074C Ack: 0x4F8283BA Win: 0x100 TcpLen: 20
And choosing p reveals the packets that caused the alert:
0x0000: 0016 3f21 a460 0016 3f21 9e00 0800 4500 ................ 0x0010: 0028 9e87 4000 3306 50a3 ca5c 85fd cc6d .(..@.3.P..\...m 0x0020: 3bde e316 01bb 575a b4be 0000 0000 5004 ;.....WZ......P. 0x0030: 0000 6650 0000
This makes setting up and tuning a new snort instance fairly simple. It is not a full packet analysis suite,
obviously taking a full packet capture into wireshark is the preferred method for deep analysis.
Copyright (c) 2019, Jason Edward Durrett - All content on this site, unless otherwise noted, is subject to this license.
Please contact me if any errors, such as erroneous / misleading content or missing / incomplete attribution, are found.