[Snort-users] SNORT / Shadow config setting question
erek at ...950...
Tue May 27 08:58:07 EDT 2003
On Fri, 23 May 2003, Raven, Mark wrote:
> As a follow-up to a SAS70 audit, our auditing firm has requested I cut and
> paste to them the lines in the shadow and SNORT config file(s) where it
> proves that all packet headers are being logged.
> Is any one out there a SNORT and Shadow guru and can point me to the right
> file and appropriate lines so I can get this auditor out of my hair? Thanks.
Well... There isn't a place in the config files that that is. It simply
has to do with the way both Snort and tcpdump (the driving program behind
SHADOW) record the data.
tcpdump has a default snaplen (amount of bytes you record per packet) of
68 bytes. From the tcpdump man page:
Analyze at most the first snaplen bytes of data from each
packet rather than the default of 68. 68 bytes is adequate
for IP, ICMP, TCP, and UDP but may truncate protocol
information from name server and NFS packets (see below).
Packets truncated because of a limited snaplen are indicated
in the output with ``[|proto]'', where proto is the name of
the protocol level at which the truncation has occurred.
Taking larger snapshots both increases the amount of time it
takes to process packets and, effectively, decreases the
amount of packet buffering. This may cause packets to be
lost. You should limit snaplen to the smallest number that
will capture the protocol information you're interested in.
Snort defaults it's snaplen to 1514 bytes. From decode.h:
303 /* IRIX 6.2 hack! */
304 #ifndef IRIX
305 #define SNAPLEN 1514
307 #define SNAPLEN 1500
That sets the default SNAPLEN to 1500 on IRIX 6.2 and 1514 to all other
So that's not part of the config, but it's there in the man pages and the
Hope that helps!
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users