[Snort-users] SNORT / Shadow config setting question

Erek Adams erek at ...950...
Tue May 27 08:58:07 EDT 2003


On Fri, 23 May 2003, Raven, Mark wrote:

> As a follow-up to a SAS70 audit, our auditing firm has requested I cut and
> paste to them the lines in the shadow and SNORT config file(s) where it
> proves that all packet headers are being logged.
> Is any one out there a SNORT and Shadow guru and can point me to the right
> file and appropriate lines so I can get this auditor out of my hair? Thanks.

Well...  There isn't a place in the config files that that is.  It simply
has to do with the way both Snort and tcpdump (the driving program behind
SHADOW) record the data.

tcpdump has a default snaplen (amount of bytes you record per packet) of
68 bytes.  From the tcpdump man page:

     -s snaplen
             Analyze at most the first snaplen bytes of data from each
             packet rather than the default of 68.  68 bytes is adequate
             for IP, ICMP, TCP, and UDP but may truncate protocol
             information from name server and NFS packets (see below).
             Packets truncated because of a limited snaplen are indicated
             in the output with ``[|proto]'', where proto is the name of
             the protocol level at which the truncation has occurred.
             Taking larger snapshots both increases the amount of time it
             takes to process packets and, effectively, decreases the
             amount of packet buffering.  This may cause packets to be
             lost.  You should limit snaplen to the smallest number that
             will capture the protocol information you're interested in.

Snort defaults it's snaplen to 1514 bytes.  From decode.h:

   303  /* IRIX 6.2 hack! */
   304  #ifndef IRIX
   305      #define SNAPLEN         1514
   306  #else
   307      #define SNAPLEN         1500
   308  #endif

That sets the default SNAPLEN to 1500 on IRIX 6.2 and 1514 to all other
OS's.

So that's not part of the config, but it's there in the man pages and the
source code....

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list