[Snort-users] Log everything in NIDS mode (yet not all packets are getting logged)

Bryan Leavitt dansagsun at ...11827...
Tue May 17 11:25:01 EDT 2005

My goal is to both a) log all tcp packets in binary and b) also run in
realtime NIDS mode (any alerts being sent to both unified.log and
unified.alert files).

To accomplish this, I've defined a custom rule type and changed the
rule order around so that it gets called first.

snort.conf stuff:

# create custom logging rule-type
ruletype logall
    type log
    output log_tcpdump: snort.tcpdump.log

# log rule
logall tcp any any <> any any

# change order that rules are evaluated
config order: logall activation dynamic alert pass log

Yet it still appears some packets aren't getting logged.  

Snort received 1501 packets
    Analyzed: 1501(100.000%)
    Dropped: 0(0.000%)
Breakdown by protocol:
    TCP: 1212       (80.746%)
    UDP: 96         (6.396%)
   ICMP: 1          (0.067%)
    ARP: 71         (4.730%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 121        (8.061%)
DISCARD: 0          (0.000%)
Action Stats:
LOGGED: 1109

Shouldn't I be seing LOGGED == 1212 ??  What packets are NOT being logged?  

As a sanity check, I can run snort in packet logging mode and the
"analyzed" and "logged" counts are nearly identical (well, off by a
few packets...I assume that's because a few packets may get analyzed
yet not logged before it receives my Ctrl-C signal).

I started disabling other preprocessors, especially the stream
preprocessors, as well as the -z option, and that seemed to help.  My
theory is that some preprocessors may silently pass packets?  But if
I've changed the rule order to logall first, shouldn't this stuff get
logged before any dection routines are called?

Any suggestions?


More information about the Snort-users mailing list