[Snort-users] Snort logs different than the stuff I see in BASE.

Joel Esler eslerj at ...11827...
Fri Feb 27 11:22:58 EST 2009


Actually, I was just corrected:
-b makes snort act like tcpdump entirely
log_tcpdump logs event packet information in a pcap format.

I would use -b at the command line if I was using Snort in Sniffer mode.
 log_tcpdump is more for the IDS/IPS portion of the engine.

J

On Fri, Feb 27, 2009 at 10:13 AM, Joel Esler <eslerj at ...11827...> wrote:

> That's fine, let us know what you can.
> Incidentally, -b and log_tcpdump are the same thing.
>
> J
>
>
> On Fri, Feb 27, 2009 at 10:09 AM, Bruno G. San Alejo <bgonzalez at ...14528...>wrote:
>
>>    Hi, I had already done something like that with the -b option, but
>> since I'm a newbie with this stuff so I went into the snort.conf and
>> commented out the DB output and uncommented the option for the
>> log_tcpdump option. I don't know if it will work differently.
>>
>>    In my time zone my job time ends in minutes and my parental duties
>> take over, so I don't think I'll be sending anything new till Monday
>> morning. :)
>>
>>    Thanks.
>>
>>
>>
>>
>>
>>
>>
>> Joel Esler wrote:
>> > Try this, don't output to database.  Try having Snort just output
>> > directly to pcap format, then we can try and figure out where the
>> > problem may lie.
>> >
>> > J
>> >
>> > On Fri, Feb 27, 2009 at 7:35 AM, Bruno G. San Alejo
>> > <bgonzalez at ...14528... <mailto:bgonzalez at ...14528...>> wrote:
>> >
>> >
>> >        Hello, I'm missing out something here because I have produced
>> some
>> >     log files from snort and when I check them out with wireshark I
>> cannot
>> >     find some alert packets that I see at BASE.
>> >
>> >        In detail, I see some ICMPs redirect messages in the logs
>> (through
>> >     wireshark, they are in tcpdump format), but BASE shows just one.
>> Also,
>> >     the mac addresses involved are not the same (I have just one
>> sensor),
>> >     though the IPs are. I know this because the packet saved as pcap
>> from
>> >     BASE and opened with Wireshark has plain wrong mac addresses.
>> >
>> >        I thought that some packets could get lost due to heavy load
>> >     (actually this is a live network, but I'm running snort non
>> >     promiscous).
>> >     But the discrepancies between what BASE shows me and what snort logs
>> >     makes me believe I'm doing something wrong.
>> >
>> >        Thanks.
>> >
>> >
>> ------------------------------------------------------------------------------
>> >     Open Source Business Conference (OSBC), March 24-25, 2009, San
>> >     Francisco, CA
>> >     -OSBC tackles the biggest issue in open source: Open Sourcing the
>> >     Enterprise
>> >     -Strategies to boost innovation and cut costs with open source
>> >     participation
>> >     -Receive a $600 discount off the registration fee with the source
>> >     code: SFAD
>> >     http://p.sf.net/sfu/XcvMzF8H
>> >     _______________________________________________
>> >     Snort-users mailing list
>> >     Snort-users at lists.sourceforge.net
>> >     <mailto:Snort-users at lists.sourceforge.net>
>> >     Go to this URL to change user options or unsubscribe:
>> >     https://lists.sourceforge.net/lists/listinfo/snort-users
>> >     Snort-users
>> >     <
>> https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>
>> >     list archive:
>> >     http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >
>> >
>> >
>> >
>> > --
>> > Joel Esler
>> > T: 302-223-5974 (-) Gtalk: jesler at ...1935...
>> > <mailto:jesler at ...1935...>
>> > [m]
>>
>>
>
>
> --
> Joel Esler
> T: 302-223-5974 (-) Gtalk: jesler at ...1935...
> [m]
>



-- 
Joel Esler
T: 302-223-5974 (-) Gtalk: jesler at ...1935...
[m]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090227/1b8a8ee0/attachment.html>


More information about the Snort-users mailing list