[Snort-devel] Re: Has anybody checked this out? and others

Patrick Mullen pmullen at ...43...
Sun Feb 25 23:51:18 EST 2001


> a big difference.  If people want the Snort decoders to pop an alert
> everytime they get a bad packet, I'll write it up to do that but I'm
> willing to bet that people aren't really interested in that sort of
> thing.

Snort already does this, and we have proven people aren't really interested
in this.  This is why I am recoding a threshold into SPP and its reporting
of "TCP Stealth" (aka TCP anomalous packet) detection.
 
> truly inderstood the nature of Snort and find it to be pretty
> intellectually dishonest coming from a coder.  It smacks of marketing to

Uh...  You didn't just use that phrase.  I *know* you didn't just use
*that* phrase...  ;)

> I'd like to test out the code and see if there's some really original
> stuff here, but unfortunately it doesn't compile cleanly on FreeBSD or
> OpenBSD so I haven't had a chance to check it out yet.

Link?  Sorry, I missed it.

I have an idea on short-longish term packet storage.  Of course this is
in the context of port scan detection and reporting.  Does 1.7 or beyond
have any facility for referring back to a previous packet?

Also, I figured out why I was getting double alerts before.  The TCPDUMP
log facility was sending a "LOG:" message to syslog because I don't send
a packet pointer with the alert.  REALLY annoying when you are already
logging to syslog, and I'm not sure of the benefit regardless.

How can I get snort to log EVERY packet it sees?  Also, how can I get it
to log packets in separate files like in the old days, based on host?
Currently, I seem to be getting a lot of "Destination Host Unreachable"
messages, and I'm trying to figure out why.  I have the tcpdump log
set up, but it doesn't seem to consistently log even packets that generated
an alert.  


Thanks,

~Patrick




More information about the Snort-devel mailing list