[Snort-devel] New alert logging mode wanted

Abe L. Getchell abegetchell at ...243...
Tue Nov 20 19:30:02 EST 2001


Hi Martin,

This type of logging/alerting method would be rather slow.  Logging data
in an ASCII format is already kind of pokey (meaning slower than logging
in binary format).  Having to log that data twice in different locations
on the drive would slow things down even more.  This would be bad
because Snort should spend it's time analyzing packets, not writing
_duplicate_ log data to disk.

I would look at something like SnortSnarf, or another application which
post-processes the logs, to provide this functionality.  The feature you
describe seems to be more of a convenience than anything else IMHO.

The SnortSnarf homepage can be found at:
http://www.silicondefense.com/software/snortsnarf/.

More add-on analysis tools can be found at:
http://www.snort.org/downloads-other.html

<soapbox>
Snort is a raw tool.  It's a raw tool because the developers concentrate
more on coding a high-performance and stable detection engine than an
application which generates data that's easy to look at without some
form of post-processing.  It's _very_ important to remember that when
implementing Snort in any environment.  I wish some reviewers out there
would keep this thought in mind when next reviewing the top-notch IDS
that is Snort.
</soapbox>

Thanks,
Abe

--
Abe L. Getchell
Security Engineer
abegetchell at ...243...


> -----Original Message-----
> From: snort-devel-admin at lists.sourceforge.net 
> [mailto:snort-devel-admin at lists.sourceforge.net] On Behalf Of 
> Martin Olsson
> Sent: Tuesday, November 20, 2001 5:48 AM
> To: snort-devel at lists.sourceforge.net
> Cc: Martin Olsson
> Subject: [Snort-devel] New alert logging mode wanted
> 
> 
> 
> Currently the "-A full" logging mode log only the full 
> decoded header with the alert message. I would like a new 
> mode where the entire packet, not just the header, is decoded 
> and shown. I believe this is exactly the same text that will 
> be written to the logfile (e.g. 
> logdir/10.0.0.15/TCP:1089-80), so in short all I want is for 
> the text to be written both to the alert-file and to the 
> normal destination.
> 
> It would also be nice to be able to crop the output (if the 
> packet is big)... You could add the option "packet" which 
> takes an additional parameter: -A packet <size> -A packet 0 
> -A packet 32 0 - the entire packet is shown along with the 
> header and alert-message. 32 - the first 32 bytes of the 
> packet are shown...
> 
> With this new alert mode you can have a logging console which 
> shows the latest alerts and you don't have to manually peek 
> at the decoded packets to see what kind of data triggered the alert.
> Example: When my console show "WEB-MISC guestbook access" I 
> directly want to see that it was a "GET 
> /_gfx/frame/top/guestbook_off.gif" request that triggered it...
> 
> Oh, coming to think of it, it would be nice with an option to 
> disable the normal logging while still logging to the alert file.
> 
> 
> 
> Ok, I know it is possible to do the above by building a 
> shellscript that search for and cat all the newly created 
> files in the logdir subdirectories, but I haven't found a 
> nice way to do it, that's why I'd like snort to do "the right 
> thing". :)
> 
> 
> BTW, I'm not subscribing to the snort-devel list, so please 
> reply to me directly for comments.
> 
> Regards,
> Martin Olsson
> 
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/s> nort-devel
> 





More information about the Snort-devel mailing list