[Snort-devel] Binary (pcap) Logging Limited to 128M

Bamm Visscher bamm.visscher at ...2499...
Fri Jun 13 16:32:24 EDT 2008


I'll give you that. SourceFire has done a hell of a job of clearing the lists.

On Fri, Jun 13, 2008 at 2:27 PM, Todd Wease <twease at ...402...> wrote:
> Someone's gotta keep the list clean of debris.
>
>
> Bamm Visscher wrote:
>>
>> The SF vacuum strikes again...
>>
>> Color me not surprised.
>>
>>
>>
>> On Fri, Jun 13, 2008 at 2:08 PM, Todd Wease <twease at ...402...> wrote:
>>>
>>> I guess you're screwed then.
>>>
>>> Bamm Visscher wrote:
>>>>
>>>> Tcpdump?  Wireshark?  Never heard of them.
>>>>
>>>> *sigh*
>>>>
>>>> Mainly because my sensors already have snort installed on them, so why
>>>> install another pcap collection app if I already had one that met my
>>>> needs.  Yes, I know it's hard to believe, but at one point snort was
>>>> used by people for purposes other than just a detection engine.
>>>>
>>>>
>>>> On Fri, Jun 13, 2008 at 1:57 PM, Todd Wease <twease at ...402...>
>>>> wrote:
>>>>>
>>>>> What are you trying to do?  If you're just capturing traffic, why not
>>>>> use
>>>>> tcpdump or wireshark.
>>>>>
>>>>> Bamm Visscher wrote:
>>>>>>
>>>>>> Can this be fixed?
>>>>>>
>>>>>>
>>>>>> On Fri, Jun 13, 2008 at 1:37 PM, Todd Wease <twease at ...402...>
>>>>>> wrote:
>>>>>>>
>>>>>>> The limit can only be configured from snort.conf.
>>>>>>>
>>>>>>> Bamm Visscher wrote:
>>>>>>>>
>>>>>>>> What about if you are just using -b from the cmd line b/c you don't
>>>>>>>> want snort in IDS mode?
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Jun 13, 2008 at 1:24 PM, Todd Wease <twease at ...402...>
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> In your log_tcpdump configuration, the second argument specifies
>>>>>>>>> the
>>>>>>>>> limit,
>>>>>>>>> e.g:
>>>>>>>>>
>>>>>>>>> output log_tcpdump: tcpdump.log 1G
>>>>>>>>>
>>>>>>>>> Modifiers 'K', 'M' and 'G' can be used to express the number in
>>>>>>>>> kilobytes,
>>>>>>>>> megabytes and gigabytes respectively.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Bamm Visscher wrote:
>>>>>>>>>>
>>>>>>>>>> I don't see a way to override this other than modifying the value
>>>>>>>>>> at
>>>>>>>>>> compile time. Is that on purpose and if so, why?
>>>>>>>>>>
>>>>>>>>>> output-plugins/spo_log_tcpdump.c
>>>>>>>>>> #define DEFAULT_LIMIT (128*M_BYTES)
>>>>>>>>>>
>>>>>>>>>> Bammkkkk
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>
>>>>
>>>>
>>>
>>
>>
>>
>
>



-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net




More information about the Snort-devel mailing list