[Snort-users] log single packet vs reassmbled stream

Jason Haar Jason.Haar at ...294...
Mon Oct 4 08:33:42 EDT 2004

Alex Butcher, ISC/ISYS wrote:

>> I know about the tag keyword..... Is there any other way so that the
>> entire session can be logged, if alert is generated in any of its
>> packet....
> sguil can integrate snort with tcpdump, apparently. I've thought about 
> doing something similar using flexresp, tethereal (in ring-log-file 
> mode) and a shell script or similar.

I think Thomas that you need to think through what you are asking. What 
if the traffic in question ends up being a 6Gb DVD download? No IDS 
system will log such amounts of data - it would cause a DoS attack 
against the IDS (i.e. it would run out of memory, CPU, DISK, take your 
pick). Also think about if you were using the SQL backend - can your 
database handle a 6Gb BLOB object? :-). With Snort, a logged event 
contains the section that triggered the alert plus "a bit" of extra data 
around it - but it doesn't capture the entire session.

If you are sure you need such capabilities, then as Alex says, there may 
be other options...


More information about the Snort-users mailing list