Thu Nov 23 16:36:19 EST 2017
-d Dump the Application Layer
-e Display the second layer header info
-v Be verbose
-l <ld> Log to directory <ld>
Now, I'm on a train, so I can't really test it, but I'm pretty sure that
A) it will be verbose and display all the packets (including application and
second layer info) to STDOUT
B) it will also log it all into the <ld> directory.
> 3. I have found that in NIDS mode ie
> snort -deD -l /var/log/snort -c /etc/snort.conf
> logs only part of complete data.ie maybe the current
> packet.What if i want to log "everything " if attack is found.
> i have gone thru the log-documents.plz clear these points.
Ehheh, well, for a start, take a look at the stream4 preprocessor. Having
said that, I'm pretty sure it doesn't log the whole stream. I haven't looked
into this in more depth, but a quick 'grep stream4' in the snort-1.8.4 dir
* added new config keyword to stream4, "log_flushed_streams", which causes
all buffered packets in the stream reassembler for that session to be logged
in the event of an event on that stream (must be used in conjunction with
So, I guess that'll sort it...! If it doesn't, then use tcpdump in
conjunction with it and throw man-hours at it...! :)
Date: Tue, 2 Apr 2002 11:28:54 -0800 (PST)
From: Erek Adams <erek at ...577...>
To: Chris Frazier - PA <Chris_Frazier at ...5476...>
cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort Solaris 8 with quad card
On Tue, 2 Apr 2002, Chris Frazier - PA wrote:
> I have Snort running on a Ultra 5 with Solaris 8. I bring up interfaces
> qfe2 and qfe3 without IP addresses being assigned on differnet VLANs, and
> have Snort listen on those interfaces using separate commands:
> snort -D -c conf.file -l /var/log/snort/qfe2 -i qfe2
> snort -D -c conf.file -l /var/log/snort/qfe3 -i qfe3
> When I trigger scans on those VLANs, qfe2 logs the results, but qfe3 does
> nothing. If I kill the snort running on qfe3, and just do a tcpdump -i
> qfe3, and run tthe scans again, I see the traffic.
Ok, lets check this a bit more. If you use a 'snort -vade -i qfe2' and run
scans, do you see the traffic? Where does this traffic come from? A third
machine? If just run the qfe3 instance (as above), does it log? Running a
'snort -vade -i qfe3' while scanning--Does that show any data?
> So am I doing something completely wrong, or am I trying to do something
> that is not possible.
It all depends. :) 'Not Possible' just means someone else hasn't done it
> Any help is greatly appreciated.
Subject: Re: [Snort-users] configure --with-mysql= ?
From: Jason Yates <jyates at ...5449...>
To: ___cliff rayman___ <cliff at ...1366...>
Cc: John Sage <jsage at ...2022...>, snort-users at lists.sourceforge.net
Date: 02 Apr 2002 14:34:36 -0500
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] OT: Deciphering log entry(iptables)
From: Chris Green <cmg at ...1935...>
Reply-To: snort-users at lists.sourceforge.net
Date: Tue, 02 Apr 2002 14:47:11 -0500
>>Has anyone seen this or know what it may be
>>Mar 31 04:19:35 xxxxfw1 kernel: IN= OUT=eth0
>>LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF
>>PROTO=TCP SPT=80 DPT=2418 WINDOW=0
>>RES=0x00 ACK RST URGP=0
It's very possible that someone is synflooding someone else using your
IP as the spoofed src.
Chris Green <cmg at ...1935...>
Fame may be fleeting but obscurity is forever.
Snort-users mailing list
Snort-users at lists.sourceforge.net
End of Snort-users Digest
More information about the Snort-users