[Snort-users] Logging of packets
twhipp at ...63...
Wed Sep 27 05:32:56 EDT 2000
UDP is connectionless (although some applications such as NFS do build some
form of connection state data into their datagrams) as such tracking
sessions for UPD traffic would require snort to understand the application
level data - which obviously would be a per-application task.
I'm pretty sure that snorts concept of a session is a TCP stream (but I'm
sure someone will correct me if I'm wrong) as anything else would be a vast
amount of development effort.
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Richard Oyh
Sent: 27 September 2000 08:39
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Logging of packets
I understand that it is possible to log session using snort. I have tried to
log telent session using the following line in the rules file. It works very
log tcp any any <> $IP 23 (session: printable;)
However when the following line was added to log syslog traffic, snort
complain that it cannnot find the session file
log udp any any <> $IP 514 (session; printable;)
Is there any thing that I have missed out? If it is not possible to log this
traffice as a session, is there a way to log the syslog packets? Thanks in
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Share information about yourself, create your own public profile at
Snort-users mailing list
Snort-users at lists.sourceforge.net
More information about the Snort-users