[Snort-users] Logging of packets

Fyodor fygrave at ...121...
Thu Sep 28 20:07:58 EDT 2000


~ :Thanks for pointing that out to me. I was able to log port 514 UDP packets 
~ :with the following in my rules file.
~ :
~ :log udp any any <> IP 514
~ :
~ :It would seems that you can't log UDP with the session command for port 514. 
~ :It is the same for the rest?

 
Well, UDP is connection-less protocol, so such thing as `session' just do
not exist there. The code says the same thing:

sp_session.c:

FILE *OpenSessionFile(Packet *p, char *filename)
{
    char log_path[STD_BUF];
    char session_file[STD_BUF]; /* name of session file */
    if ((p->iph->ip_proto != IPPROTO_TCP) || (p->frag_flag) || p->tcph == NULL)
        return NULL;
....




More information about the Snort-users mailing list