[Snort-users] log single packet vs reassmbled stream
Jason.Haar at ...294...
Mon Oct 4 08:33:42 EDT 2004
Alex Butcher, ISC/ISYS wrote:
>> I know about the tag keyword..... Is there any other way so that the
>> entire session can be logged, if alert is generated in any of its
> sguil can integrate snort with tcpdump, apparently. I've thought about
> doing something similar using flexresp, tethereal (in ring-log-file
> mode) and a shell script or similar.
I think Thomas that you need to think through what you are asking. What
if the traffic in question ends up being a 6Gb DVD download? No IDS
system will log such amounts of data - it would cause a DoS attack
against the IDS (i.e. it would run out of memory, CPU, DISK, take your
pick). Also think about if you were using the SQL backend - can your
database handle a 6Gb BLOB object? :-). With Snort, a logged event
contains the section that triggered the alert plus "a bit" of extra data
around it - but it doesn't capture the entire session.
If you are sure you need such capabilities, then as Alex says, there may
be other options...
More information about the Snort-users