[Snort-users] Log vs. Alert --end the confusion!

Chris Green cmg at ...1935...
Tue Aug 13 07:11:02 EDT 2002

"Williams Jon" <WilliamsJon at ...2134...> writes:

> While we're talking about how preprocessors log packets, could someone help
> me out with the stream4 preprocessor?  There are a number of seemingly
> useful alerts that come out of it, such as the TTL evasion alerts, but when
> I go to the log, it looks as if snort only logs the last packet or the one
> that actually triggered the alert.  As a result, it is very difficult to go
> back through and describe to the "attacker" or their ISP what the activity
> was.  Obviously, the stream4 preprocessor had to have had all of the packets
> go through it and remember that the TTL was 5 on packet A, 8 on B, and so
> on.  Is it possible to get it to write out all the packets in the offending
> stream? 

I could add a flush the stream to the logging subsystem call but
that's not guaranteed to show the initial packet that set the ttl.  in
1.9, the ttl_evasion stuff will only go off if the current packet is a
low number.

> This goes for all the alerts that come out of this preprocessor, and
> not just the TTL one.

When we switch to a better logging subsystem, a lot more information
about "WHAT" happened will be great.
Chris Green <cmg at ...1935...>
A watched process never cores.

More information about the Snort-users mailing list