[Snort-users] Log everything in NIDS mode (yet not all packets are getting logged)
dansagsun at ...11827...
Tue May 17 11:25:01 EDT 2005
My goal is to both a) log all tcp packets in binary and b) also run in
realtime NIDS mode (any alerts being sent to both unified.log and
To accomplish this, I've defined a custom rule type and changed the
rule order around so that it gets called first.
# create custom logging rule-type
output log_tcpdump: snort.tcpdump.log
# log rule
logall tcp any any <> any any
# change order that rules are evaluated
config order: logall activation dynamic alert pass log
Yet it still appears some packets aren't getting logged.
Snort received 1501 packets
Breakdown by protocol:
TCP: 1212 (80.746%)
UDP: 96 (6.396%)
ICMP: 1 (0.067%)
ARP: 71 (4.730%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 121 (8.061%)
DISCARD: 0 (0.000%)
Shouldn't I be seing LOGGED == 1212 ?? What packets are NOT being logged?
As a sanity check, I can run snort in packet logging mode and the
"analyzed" and "logged" counts are nearly identical (well, off by a
few packets...I assume that's because a few packets may get analyzed
yet not logged before it receives my Ctrl-C signal).
I started disabling other preprocessors, especially the stream
preprocessors, as well as the -z option, and that seemed to help. My
theory is that some preprocessors may silently pass packets? But if
I've changed the rule order to logall first, shouldn't this stuff get
logged before any dection routines are called?
More information about the Snort-users