[Snort-users] log single packet vs reassmbled stream

Thomas Anderson neo_ait at ...131...
Mon Oct 4 19:09:30 EDT 2004

Hi all,
I am trying to capture session data of an average mail or data transfer .... So i think we can out an upper limit to the session data size... so that most of the traffic session can be caught....
So is there any way to provide such information to snort ?? or do i have to modify some code to do the adjustment ??

Jason Haar <Jason.Haar at ...294...> wrote:
Alex Butcher, ISC/ISYS wrote:

>> I know about the tag keyword..... Is there any other way so that the
>> entire session can be logged, if alert is generated in any of its
>> packet....
> sguil can integrate snort with tcpdump, apparently. I've thought about 
> doing something similar using flexresp, tethereal (in ring-log-file 
> mode) and a shell script or similar.

I think Thomas that you need to think through what you are asking. What 
if the traffic in question ends up being a 6Gb DVD download? No IDS 
system will log such amounts of data - it would cause a DoS attack 
against the IDS (i.e. it would run out of memory, CPU, DISK, take your 
pick). Also think about if you were using the SQL backend - can your 
database handle a 6Gb BLOB object? :-). With Snort, a logged event 
contains the section that triggered the alert plus "a bit" of extra data 
around it - but it doesn't capture the entire session.

If you are sure you need such capabilities, then as Alex says, there may 
be other options...


Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20041004/e5886795/attachment.html>

More information about the Snort-users mailing list