[Snort-users] Logging Reassembled Packets

Martin Roesch roesch at ...1935...
Thu Mar 13 21:40:48 EDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Correction.  You should use Daemonlogger!

:)

	-Marty

On Mar 13, 2008, at 8:20 PM, Jason wrote:

> snort is not intended to log full reassembled streams, it is  
> intended to
> detect intrusion attempts and log the relevant data associated with
> those attempts. If you want full session logging you should use  
> tcpdump.
>
> Kamran Shafi wrote:
>> I notice that there is a show_rebuilt_packets option in steam5_global
>> configuration, which I have turned on but don't know if it is  
>> producing
>> anything. I run snort on some traffic collected on a web/dns/mysql  
>> server
>> using -r flag. The log shows that snort filters out the server's  
>> response
>> and keeps only the inbound traffic - I am not sure if this  
>> behaviour is
>> because of the stream 5 processor or else?
>>
>> On Fri, Mar 14, 2008 at 12:56 AM, Joel Esler <joel.esler at ...1935... 
>> >
>> wrote:
>>
>>> Again, a visit to the readme's in the doc/ directory should help  
>>> you.
>>> Look up "log_flushed_streams" in the stream4 readme.
>>> Joel
>>>
>>>   On Mar 13, 2008, at 2:36 AM, Kamran Shafi wrote:
>>>
>>>  Hi All,
>>>
>>> Is there a way to log the reassembled (TCP/UDP/ICMP) sessions in  
>>> Snort?
>>>
>>> --
>>> Regards
>>> Kam
>>> -------------------------------------------------------------------------
>>> This SF.net email is sponsored by: Microsoft
>>> Defy all challenges. Microsoft(R) Visual Studio 2008.
>>>
>>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>
>>>
>>> --
>>> Joel Esler  joel.esler at ...1935...
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2008.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFH2degqj0FAQQ3KOARAoGaAJ0Qunysz07riv/NwgSEyvkXuaKmvwCfRmjD
9vfsXaAbtb93a6aPRD4QPso=
=dxrz
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list