[Snort-users] Double logging in alert_fast - Problem solved
zultan at ...13388...
Sun Sep 18 18:05:07 EDT 2005
Please disregard the below.
Removing the tag:session option from the log line stopped the double logging.
My apologies to the list...
----- Original Message -----
From: Zultan <zultan at ...13388...>
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Double logging in alert_fast
Date: Fri, 16 Sep 2005 04:22:03 +0000
> I know ASCII logging bad, and that binary logging would be much better for
> this, but still, I need to do it. Also according to the archives, this was
> an issue before 1.8.1.
> While trying to grab entire TCP sessions with a hostile IP, it logs each
> packet twice after the 3way handshake. Running 2.4 and testing from the
> command line with:
> snort -d -i eth0 -l ./log -m 027 -y -c ./host-svr.rules
> host-svr.rules is:
> var HOME_NET [x.x.x.x/32]
> var EXTERNAL_NET any
> include ./class.config
> output alert_fast: alert
> var HOSTILE_SVRS [IPaddress/32]
> alert tcp $HOME_NET any -> $HOSTILE_SVRS any (msg:"SYN to HOSTILE
> alert tcp $HOSTILE_SVRS any -> $HOME_NET any (msg:"SYN/ACK from HOSTILE
> server"; flags:SA;)
> log tcp $HOSTILE_SVRS any <> $HOME_NET any (flow:established;
Sign-up for Ads Free at Mail.com
More information about the Snort-users