[Snort-users] Log vs. Alert --end the confusion!
cmg at ...1935...
Tue Aug 13 07:11:02 EDT 2002
"Williams Jon" <WilliamsJon at ...2134...> writes:
> While we're talking about how preprocessors log packets, could someone help
> me out with the stream4 preprocessor? There are a number of seemingly
> useful alerts that come out of it, such as the TTL evasion alerts, but when
> I go to the log, it looks as if snort only logs the last packet or the one
> that actually triggered the alert. As a result, it is very difficult to go
> back through and describe to the "attacker" or their ISP what the activity
> was. Obviously, the stream4 preprocessor had to have had all of the packets
> go through it and remember that the TTL was 5 on packet A, 8 on B, and so
> on. Is it possible to get it to write out all the packets in the offending
I could add a flush the stream to the logging subsystem call but
that's not guaranteed to show the initial packet that set the ttl. in
1.9, the ttl_evasion stuff will only go off if the current packet is a
> This goes for all the alerts that come out of this preprocessor, and
> not just the TTL one.
When we switch to a better logging subsystem, a lot more information
about "WHAT" happened will be great.
Chris Green <cmg at ...1935...>
A watched process never cores.
More information about the Snort-users