[Snort-devel] Re: Has anybody checked this out? and others

Martin Roesch roesch at ...48...
Mon Feb 26 00:04:34 EST 2001

Patrick Mullen wrote:
> > a big difference.  If people want the Snort decoders to pop an alert
> > everytime they get a bad packet, I'll write it up to do that but I'm
> > willing to bet that people aren't really interested in that sort of
> > thing.
> Snort already does this, and we have proven people aren't really interested
> in this.  This is why I am recoding a threshold into SPP and its reporting
> of "TCP Stealth" (aka TCP anomalous packet) detection.


> > truly inderstood the nature of Snort and find it to be pretty
> > intellectually dishonest coming from a coder.  It smacks of marketing to
> Uh...  You didn't just use that phrase.  I *know* you didn't just use
> *that* phrase...  ;)

Sorry, it just slipped out.  I must have been having a psychotic
episode... :)

> > I'd like to test out the code and see if there's some really original
> > stuff here, but unfortunately it doesn't compile cleanly on FreeBSD or
> > OpenBSD so I haven't had a chance to check it out yet.
> Link?  Sorry, I missed it.

Go to Freshmeat and search for prelude.

> I have an idea on short-longish term packet storage.  Of course this is
> in the context of port scan detection and reporting.  Does 1.7 or beyond
> have any facility for referring back to a previous packet?

Not currently, we've been talking about it for the future.  The problem
with doing this is that we take a big performance hit searching the
lookback buffer and writing interesting packets out, not to mention all
the housekeeping that'll need to be done.

We *are* thinking about good ways to do this in 2.0 if we can figure out
some way that won't kill performance.

> Also, I figured out why I was getting double alerts before.  The TCPDUMP
> log facility was sending a "LOG:" message to syslog because I don't send
> a packet pointer with the alert.  REALLY annoying when you are already
> logging to syslog, and I'm not sure of the benefit regardless.

That should probably be turned off for general usage.

> How can I get snort to log EVERY packet it sees?  Also, how can I get it
> to log packets in separate files like in the old days, based on host?
> Currently, I seem to be getting a lot of "Destination Host Unreachable"
> messages, and I'm trying to figure out why.  I have the tcpdump log
> set up, but it doesn't seem to consistently log even packets that generated
> an alert.

Run it in packet logger mode:

snort -l <logdir> -h <homenet>

If you want to log all the packets in "fast logger mode", try:

snort -l <logdir> -b

You can then post-process the collected log file and break everything
out into the "packet tree" format like this:

snort -l <logdir> -h <homenet> -r <logfile>

Check out the USAGE file, it's up to date on run-time modes and a lot of
general information that's useful to Snort users.


Martin Roesch
roesch at ...48...

More information about the Snort-devel mailing list