[Snort-users] Logging of packets

Tom Whipp twhipp at ...63...
Wed Sep 27 05:32:56 EDT 2000


UDP is connectionless (although some applications such as NFS do build some
form of connection state data into their datagrams) as such tracking
sessions for UPD traffic would require snort to understand the application
level data - which obviously would be a per-application task.

I'm pretty sure that snorts concept of a session is a TCP stream (but I'm
sure someone will correct me if I'm wrong) as anything else would be a vast
amount of development effort.

	Tom

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Richard Oyh
Sent: 27 September 2000 08:39
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Logging of packets


Hi all

I understand that it is possible to log session using snort. I have tried to
log telent session using the following line in the rules file. It works very
well.

log tcp any any <> $IP 23 (session: printable;)

However when the following line was added to log syslog traffic, snort
complain that it cannnot find the session file

log udp any any <> $IP 514 (session; printable;)

Is there any thing that I have missed out? If it is not possible to log this
traffice as a session, is there a way to log the syslog packets? Thanks in
advance.

Regards
Richard
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at
http://profiles.msn.com.

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users




More information about the Snort-users mailing list