[Snort-users] Need to log FULL packets

Junaidi Bin Sapari junaidi at ...4162...
Wed Mar 13 14:07:01 EST 2002

Hash: SHA1

On Thursday 14 March 2002 02:59, Matt Kettler wrote:

Snort is able to do tagging. This is based on the rule which is triggered. 
Once a rule is triggered, all the traffic involving the source host is 
logged. Below is one of my example, so just apply the same for which 
particular rules you want.
(from web-iis.rules)
alert tcp $EXTERNAL_NET any -> $IIS_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; 
flags: A+; content:"cmd.exe"; nocase; classtype:web-application-attack; 
sid:1002; rev:2; tag: host, 300, packets, src;)

> Well, first I'm wondering what version of snort you are running. Snort
> 1.9??? Erm, snort 1.8.4 isn't even in non beta yet as far as I can tell
> (1.8.4 beta4 was released march 2). Is 1.9 what the CVS image tarballs call
> themselves? If so, why are you using snort-current for production use?
> (that's a development branch snapshot, which really could use a better name
> on the website, the term "current" risks implying "current release").
>   As far as switches go -X   (full dump including IP headers) or -d
> (application layer only, no IP headers) should be all you need.
> You claim the data looks like it is "cut off", since this is UDP we are
> talking about, have you checked to make sure you're not only catching one
> fragment of a multi-fragment UDP packet. Note that dumping the application
> layer data like this will slow snort down enough that it becomes quite
> likely that if a UDP packet gets fragmented you may miss some of the
> following fragments while the first one is dumped.
> If this is the case, you might make sure that the frag2 preprocessor is on
> to defragment the UDP packet prior to passing it up and dumping it.
> At 01:06 PM 3/13/2002 -0500, Sheahan, Paul (PCLN-NW) wrote:
> >Hello,
> >
> >I'm doing an investigation on some unusual UDP traffic on my network and
> > am using Snort 1.9 on Linux to monitor the data. The traces of each
> > packet are getting cut off in the logs. How can I be sure I am getting
> > ALL of each packet in the traces? The more info I can gather on each
> > packet during this test would be ideal (I'm not concerned about speed or
> > missed packets).
> >
> >Can anyone recommend the correct Snort switches so I can gather the MOST
> >thorough data?
> >
> >Thanks in advance!
> >Paul
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


More information about the Snort-users mailing list