[Snort-users] log single packet vs reassmbled stream
neo_ait at ...131...
Mon Oct 4 19:09:30 EDT 2004
I am trying to capture session data of an average mail or data transfer .... So i think we can out an upper limit to the session data size... so that most of the traffic session can be caught....
So is there any way to provide such information to snort ?? or do i have to modify some code to do the adjustment ??
Jason Haar <Jason.Haar at ...294...> wrote:
Alex Butcher, ISC/ISYS wrote:
>> I know about the tag keyword..... Is there any other way so that the
>> entire session can be logged, if alert is generated in any of its
> sguil can integrate snort with tcpdump, apparently. I've thought about
> doing something similar using flexresp, tethereal (in ring-log-file
> mode) and a shell script or similar.
I think Thomas that you need to think through what you are asking. What
if the traffic in question ends up being a 6Gb DVD download? No IDS
system will log such amounts of data - it would cause a DoS attack
against the IDS (i.e. it would run out of memory, CPU, DISK, take your
pick). Also think about if you were using the SQL backend - can your
database handle a 6Gb BLOB object? :-). With Snort, a logged event
contains the section that triggered the alert plus "a bit" of extra data
around it - but it doesn't capture the entire session.
If you are sure you need such capabilities, then as Alex says, there may
be other options...
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users