[Snort-devel] Re: Has anybody checked this out? and others
roesch at ...48...
Mon Feb 26 00:04:34 EST 2001
Patrick Mullen wrote:
> > a big difference. If people want the Snort decoders to pop an alert
> > everytime they get a bad packet, I'll write it up to do that but I'm
> > willing to bet that people aren't really interested in that sort of
> > thing.
> Snort already does this, and we have proven people aren't really interested
> in this. This is why I am recoding a threshold into SPP and its reporting
> of "TCP Stealth" (aka TCP anomalous packet) detection.
> > truly inderstood the nature of Snort and find it to be pretty
> > intellectually dishonest coming from a coder. It smacks of marketing to
> Uh... You didn't just use that phrase. I *know* you didn't just use
> *that* phrase... ;)
Sorry, it just slipped out. I must have been having a psychotic
> > I'd like to test out the code and see if there's some really original
> > stuff here, but unfortunately it doesn't compile cleanly on FreeBSD or
> > OpenBSD so I haven't had a chance to check it out yet.
> Link? Sorry, I missed it.
Go to Freshmeat and search for prelude.
> I have an idea on short-longish term packet storage. Of course this is
> in the context of port scan detection and reporting. Does 1.7 or beyond
> have any facility for referring back to a previous packet?
Not currently, we've been talking about it for the future. The problem
with doing this is that we take a big performance hit searching the
lookback buffer and writing interesting packets out, not to mention all
the housekeeping that'll need to be done.
We *are* thinking about good ways to do this in 2.0 if we can figure out
some way that won't kill performance.
> Also, I figured out why I was getting double alerts before. The TCPDUMP
> log facility was sending a "LOG:" message to syslog because I don't send
> a packet pointer with the alert. REALLY annoying when you are already
> logging to syslog, and I'm not sure of the benefit regardless.
That should probably be turned off for general usage.
> How can I get snort to log EVERY packet it sees? Also, how can I get it
> to log packets in separate files like in the old days, based on host?
> Currently, I seem to be getting a lot of "Destination Host Unreachable"
> messages, and I'm trying to figure out why. I have the tcpdump log
> set up, but it doesn't seem to consistently log even packets that generated
> an alert.
Run it in packet logger mode:
snort -l <logdir> -h <homenet>
If you want to log all the packets in "fast logger mode", try:
snort -l <logdir> -b
You can then post-process the collected log file and break everything
out into the "packet tree" format like this:
snort -l <logdir> -h <homenet> -r <logfile>
Check out the USAGE file, it's up to date on run-time modes and a lot of
general information that's useful to Snort users.
roesch at ...48...
More information about the Snort-devel