[Snort-devel] Re: Has anybody checked this out? and others
pmullen at ...43...
Sun Feb 25 23:51:18 EST 2001
> a big difference. If people want the Snort decoders to pop an alert
> everytime they get a bad packet, I'll write it up to do that but I'm
> willing to bet that people aren't really interested in that sort of
Snort already does this, and we have proven people aren't really interested
in this. This is why I am recoding a threshold into SPP and its reporting
of "TCP Stealth" (aka TCP anomalous packet) detection.
> truly inderstood the nature of Snort and find it to be pretty
> intellectually dishonest coming from a coder. It smacks of marketing to
Uh... You didn't just use that phrase. I *know* you didn't just use
*that* phrase... ;)
> I'd like to test out the code and see if there's some really original
> stuff here, but unfortunately it doesn't compile cleanly on FreeBSD or
> OpenBSD so I haven't had a chance to check it out yet.
Link? Sorry, I missed it.
I have an idea on short-longish term packet storage. Of course this is
in the context of port scan detection and reporting. Does 1.7 or beyond
have any facility for referring back to a previous packet?
Also, I figured out why I was getting double alerts before. The TCPDUMP
log facility was sending a "LOG:" message to syslog because I don't send
a packet pointer with the alert. REALLY annoying when you are already
logging to syslog, and I'm not sure of the benefit regardless.
How can I get snort to log EVERY packet it sees? Also, how can I get it
to log packets in separate files like in the old days, based on host?
Currently, I seem to be getting a lot of "Destination Host Unreachable"
messages, and I'm trying to figure out why. I have the tcpdump log
set up, but it doesn't seem to consistently log even packets that generated
More information about the Snort-devel