No subject


Thu Nov 23 16:36:19 EST 2017


        -d         Dump the Application Layer
        -e         Display the second layer header info
        -v         Be verbose
        -l <ld>    Log to directory <ld>

Now, I'm on a train, so I can't really test it, but I'm pretty sure that

A) it will be verbose and display all the packets (including application and
second layer info) to STDOUT
B) it will also log it all into the <ld> directory.

> 3. I have found that in NIDS mode ie
>        snort -deD -l /var/log/snort -c /etc/snort.conf
>        logs only part of complete data.ie maybe the current
> packet.What if i want to log "everything " if attack is found.
> i have gone thru the log-documents.plz clear these points.

Ehheh, well, for a start, take a look at the stream4 preprocessor. Having
said that, I'm pretty sure it doesn't log the whole stream. I haven't looked
into this in more depth, but a quick 'grep stream4' in the snort-1.8.4 dir
revealed 

* added new config keyword to stream4, "log_flushed_streams", which causes
all buffered packets in the stream reassembler for that session to be logged
in the event of an event on that stream (must be used in conjunction with
spo_log_tcpdump)

So, I guess  that'll sort it...! If it doesn't, then use tcpdump in
conjunction with it and throw man-hours at it...! :)

HTH, 

Scott 





More information about the Snort-users mailing list