[Snort-users] Database plugin question

Phil Wood cpw at ...440...
Wed Aug 14 14:32:05 EDT 2002


On Wed, Aug 14, 2002 at 10:13:47AM -0500, Radu Brumariu wrote:
> 
> Thanks, Jeffrey for the input. 
> However, I would like snort to log _all_ the packets that it sees,
> including arp,igrp,gre, etc.

I would use tcpdump for that:

  tcpdump -i eth0 -w pcapfile -s 1514

You can even feed that file into snort for analysis.  Instead of -i, use

  -r pcapfile

snort does not handle non ip packets.  You could use snort to grab the
ip packets with the rule supplied by Jeffrey, and you could use tcpdump at
the same time to get all the non-ip packets with the following:

  tcpdump -i eth0 -w pcapfile -s 1514 not ip

> 
> Radu
> 
> 
> On Wed, 2002-08-14 at 14:42, Dell, Jeffrey wrote:
> > Use the rule:
> > 
> > log ip any any <> any any 
> > 
> > This will log all ip packets.
> > 
> > -----Original Message-----
> > From: Radu Brumariu [mailto:brumariur at ...908...] 
> > Sent: Wednesday, August 14, 2002 10:27 AM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] Database plugin question
> > 
> > 
> > 
> > Hi all,
> > I would like to know if it is possible to trick snort into logging every
> > packet that it sees to the database rather then log|alert?
> > 
> > thanks,
> > Radu
> > 
> > 
> > 
> > 
> > 
> > -------------------------------------------------------
> > This sf.net email is sponsored by: Dice - The leading online job board for
> > high-tech professionals. Search and apply for tech jobs today!
> > http://seeker.dice.com/seeker.epl?rel_code=31
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: Dice - The leading online job board
> for high-tech professionals. Search and apply for tech jobs today!
> http://seeker.dice.com/seeker.epl?rel_code=31
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list