[Snort-users] Preprocessor logging (was: Log vs. Alert --end the confusion!)

Chris Green cmg at ...1935...
Tue Aug 13 11:56:01 EDT 2002


"Williams Jon" <WilliamsJon at ...2134...> writes:

> If the stream gets flushed on an alert in the preprocessor, will it get
> written out as individual packets, each with their original header, or will
> they all get "reconstituted" into a stream pseudopacket?

Both.

> When trying to track down some of these issues, having the original
> packet headers is the only way to find out what's going on.
>
> <blue-sky wishlist>
> As kind of a side note, has anyone looked into a rolling buffer of sorts to
> allow a certain amount of history?  I mean, snort's tag: thingie is great
> for recording what happend _after_ an alert, but a lot of the time, its what
> happened _before_ that is really useful for determining what's going on.
> Similar to the issues I've run into with the preprocessor alerts is that
> looking at the actual packet that triggered the alert only gets you so far.
>

There's been talk of it.  Long term it will probably happen. Short
term, if its a must have, you can contract to have that type of thing
right now :^).

Seriously though, its a pretty major undertaking that would be very
fun to do but has to be approached carefully.
-- 
Chris Green <cmg at ...1935...>
Don't use a big word where a diminutive one will suffice.




More information about the Snort-users mailing list