[Snort-users] Double logging in alert_fast - Problem solved

Zultan zultan at ...13388...
Sun Sep 18 18:05:07 EDT 2005


Please disregard the below.

Removing the tag:session option from the log line stopped the double logging.

My apologies to the list...


----- Original Message -----
From: Zultan <zultan at ...13388...>
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Double logging in alert_fast
Date: Fri, 16 Sep 2005 04:22:03 +0000

>
> I know ASCII logging bad, and that binary logging would be much better for 
> this, but still, I need to do it.   Also according to the archives, this was 
> an issue before 1.8.1.
>
> While trying to grab entire TCP sessions with a hostile IP, it logs each 
> packet twice after the 3way handshake.  Running 2.4 and testing from the 
> command line with:
>
> snort -d -i eth0 -l ./log -m 027 -y -c ./host-svr.rules
>
> ----------------
> host-svr.rules is:
> ----------------
>
> var HOME_NET [x.x.x.x/32]
> var EXTERNAL_NET any
> include ./class.config
> output alert_fast: alert
>
> var HOSTILE_SVRS [IPaddress/32]
>
> alert tcp $HOME_NET any -> $HOSTILE_SVRS any (msg:"SYN to HOSTILE 
> server";flags:S;)
> alert tcp $HOSTILE_SVRS any -> $HOME_NET any (msg:"SYN/ACK from HOSTILE 
> server"; flags:SA;)
> log tcp $HOSTILE_SVRS any <>  $HOME_NET any (flow:established; 
> tag:session,5000,packets;)
>




-- 
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm





More information about the Snort-users mailing list