[Snort-users] Snort outputting like tcpdump
cslyon at ...6523...
Sun Jan 19 10:06:02 EST 2003
So I would be better off using tcpdump, ethereal or something like that
do capture what I want and log it to a separate database.
> -----Original Message-----
> From: Erek Adams [mailto:erek at ...950...]
> Sent: Friday, January 17, 2003 9:21 AM
> To: Christopher Lyon
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Snort outputing like tcpdump
> On Fri, 17 Jan 2003, Christopher Lyon wrote:
> > Is there a way not log the payload?
> Short answer: No.
> Longer answer: I don't have my Stephens book handy right now, it's
> somewhere buried in a moving box, so this info isn't as acurate as I
> like. Different types of packets have different header sizes. One
> have 40 bytes, one may have 60 bytes, etc. As I said, Tcpdump grabs
> bytes of the packet and works with that. Snort grabs 1514 bytes. If
> want to change how much Snort grabs, use the -P command line option.
> snort -P 68 will have Snort reading exactly as Tcpdump would.
> If you're attempting to use that for Intrusions, it's all but
> If you're trying to do it for tracking your users, just use tcpdump,
> urlsnarf, or something like that. If you're trying to get it into a
> modify the db ouptut plugin not to send the payload once it's got the
> headers decoded.
> Erek Adams
> "When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users