[Snort-users] Preprocessor logging (was: Log vs. Alert --end the confusion!)

Williams Jon WilliamsJon at ...2134...
Tue Aug 13 11:25:04 EDT 2002

If the stream gets flushed on an alert in the preprocessor, will it get
written out as individual packets, each with their original header, or will
they all get "reconstituted" into a stream pseudopacket?  When trying to
track down some of these issues, having the original packet headers is the
only way to find out what's going on.

<blue-sky wishlist>
As kind of a side note, has anyone looked into a rolling buffer of sorts to
allow a certain amount of history?  I mean, snort's tag: thingie is great
for recording what happend _after_ an alert, but a lot of the time, its what
happened _before_ that is really useful for determining what's going on.
Similar to the issues I've run into with the preprocessor alerts is that
looking at the actual packet that triggered the alert only gets you so far.

It would be very useful to be able to have an IDS that would buffer packets
for a short period of time for a given src/dest pair and if, during that
conversation/time period, any of the packets triggered an alert, write
everything to the log rather than just that one packet.  If nothing alerts
in that conversation or if the timeout is exceeded, the buffer gets flushed.
</blue-sky wishlist>


> -----Original Message-----
> From: Chris Green [mailto:cmg at ...1935...]
> I could add a flush the stream to the logging subsystem call but
> that's not guaranteed to show the initial packet that set the ttl.  in
> 1.9, the ttl_evasion stuff will only go off if the current packet is a
> low number.
> > This goes for all the alerts that come out of this preprocessor, and
> > not just the TTL one.
> When we switch to a better logging subsystem, a lot more information
> about "WHAT" happened will be great.

More information about the Snort-users mailing list