[Snort-devel] New alert logging mode wanted

Martin Olsson elof at ...969...
Tue Nov 20 02:48:04 EST 2001


Currently the "-A full" logging mode log only the full decoded header with
the alert message. I would like a new mode where the entire packet, not
just the header, is decoded and shown.
I believe this is exactly the same text that will be written to the
logfile (e.g. logdir/10.0.0.15/TCP:1089-80), so in short all I want is for
the text to be written both to the alert-file and to the normal
destination.

It would also be nice to be able to crop the output (if the packet is
big)...
You could add the option "packet" which takes an additional parameter:
-A packet <size>
-A packet 0
-A packet 32
0 - the entire packet is shown along with the header and alert-message.
32 - the first 32 bytes of the packet are shown...

With this new alert mode you can have a logging console which shows the
latest alerts and you don't have to manually peek at the decoded packets
to see what kind of data triggered the alert.
Example: When my console show "WEB-MISC guestbook access" I directly want
to see that it was a "GET /_gfx/frame/top/guestbook_off.gif" request that
triggered it...

Oh, coming to think of it, it would be nice with an option to disable the
normal logging while still logging to the alert file.



Ok, I know it is possible to do the above by building a shellscript that
search for and cat all the newly created files in the logdir
subdirectories, but I haven't found a nice way to do it, that's why I'd
like snort to do "the right thing". :)


BTW, I'm not subscribing to the snort-devel list, so please reply to me
directly for comments.

Regards,
Martin Olsson





More information about the Snort-devel mailing list