[Snort-users] Snort outputting like tcpdump

Christopher Lyon cslyon at ...6523...
Sun Jan 19 10:06:02 EST 2003


Got it,
So I would be better off using tcpdump, ethereal or something like that
do capture what I want and log it to a separate database.



> -----Original Message-----
> From: Erek Adams [mailto:erek at ...950...]
> Sent: Friday, January 17, 2003 9:21 AM
> To: Christopher Lyon
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Snort outputing like tcpdump
> 
> On Fri, 17 Jan 2003, Christopher Lyon wrote:
> 
> > Is there a way not log the payload?
> 
> Short answer:  No.
> 
> Longer answer:  I don't have my Stephens book handy right now, it's
> somewhere buried in a moving box, so this info isn't as acurate as I
would
> like.  Different types of packets have different header sizes.  One
may
> have 40 bytes, one may have 60 bytes, etc.  As I said, Tcpdump grabs
68
> bytes of the packet and works with that.  Snort grabs 1514 bytes.  If
you
> want to change how much Snort grabs, use the -P command line option.
> snort -P 68 will have Snort reading exactly as Tcpdump would.
> 
> If you're attempting to use that for Intrusions, it's all but
worthless.
> If you're trying to do it for tracking your users, just use tcpdump,
> urlsnarf, or something like that.  If you're trying to get it into a
DB,
> modify the db ouptut plugin not to send the payload once it's got the
> headers decoded.
> 
> Cheers!
> 
> -----
> Erek Adams
> 
>    "When things get weird, the weird turn pro."   H.S. Thompson





More information about the Snort-users mailing list