No subject


Thu Nov 23 16:36:19 EST 2017


        -d         Dump the Application Layer
        -e         Display the second layer header info
        -v         Be verbose
        -l <ld>    Log to directory <ld>

Now, I'm on a train, so I can't really test it, but I'm pretty sure that

A) it will be verbose and display all the packets (including application and
second layer info) to STDOUT
B) it will also log it all into the <ld> directory.

> 3. I have found that in NIDS mode ie
>        snort -deD -l /var/log/snort -c /etc/snort.conf
>        logs only part of complete data.ie maybe the current
> packet.What if i want to log "everything " if attack is found.
> i have gone thru the log-documents.plz clear these points.

Ehheh, well, for a start, take a look at the stream4 preprocessor. Having
said that, I'm pretty sure it doesn't log the whole stream. I haven't looked
into this in more depth, but a quick 'grep stream4' in the snort-1.8.4 dir
revealed 

* added new config keyword to stream4, "log_flushed_streams", which causes
all buffered packets in the stream reassembler for that session to be logged
in the event of an event on that stream (must be used in conjunction with
spo_log_tcpdump)

So, I guess  that'll sort it...! If it doesn't, then use tcpdump in
conjunction with it and throw man-hours at it...! :)

HTH, 

Scott 



--__--__--

Message: 6
Date: Tue, 2 Apr 2002 11:28:54 -0800 (PST)
From: Erek Adams <erek at ...577...>
To: Chris Frazier - PA <Chris_Frazier at ...5476...>
cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort Solaris 8 with quad card

On Tue, 2 Apr 2002, Chris Frazier - PA wrote:

> I have Snort running on a Ultra 5 with Solaris 8.  I bring up interfaces
> qfe2 and qfe3 without IP addresses being assigned on differnet VLANs, and
> have Snort listen on those interfaces using separate commands:
>
> snort -D -c conf.file -l /var/log/snort/qfe2 -i qfe2
> snort -D -c conf.file -l /var/log/snort/qfe3 -i qfe3
>
> When I trigger scans on those VLANs, qfe2 logs the results, but qfe3 does
> nothing.  If I kill the snort running on qfe3, and just do a tcpdump -i
> qfe3, and run tthe scans again, I see the traffic.

Ok, lets check this a bit more.  If you use a 'snort -vade -i qfe2' and run
scans, do you see the traffic?  Where does this traffic come from?  A third
machine?  If just run the qfe3 instance (as above), does it log?  Running a
'snort -vade -i qfe3' while scanning--Does that show any data?

> So am I doing something completely wrong, or am I trying to do something
> that is not possible.

It all depends.  :)  'Not Possible' just means someone else hasn't done it
yet.  ;-)

> Any help is greatly appreciated.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



--__--__--

Message: 7
Subject: Re: [Snort-users] configure --with-mysql= ?
From: Jason Yates <jyates at ...5449...>
To: ___cliff rayman___ <cliff at ...1366...>
Cc: John Sage <jsage at ...2022...>, snort-users at lists.sourceforge.net
Date: 02 Apr 2002 14:34:36 -0500

Try,

./configure --with-mysql


-Jason Yates



--__--__--

Message: 8
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] OT: Deciphering log entry(iptables)
From: Chris Green <cmg at ...1935...>
Reply-To: snort-users at lists.sourceforge.net
Date: Tue, 02 Apr 2002 14:47:11 -0500

>>Has anyone seen this or know what it may be
>>related to?
>>
>>Mar 31 04:19:35 xxxxfw1 kernel: IN= OUT=eth0
>>SRC=aa.bb.cc.ddd(me) DST=aa.bb.ee.ff(them)
>>LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF
>>PROTO=TCP SPT=80 DPT=2418 WINDOW=0
>>RES=0x00 ACK RST URGP=0
>>


It's very possible that someone is synflooding someone else using your
IP as the spoofed src.

-- 
Chris Green <cmg at ...1935...>
Fame may be fleeting but obscurity is forever.




--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest




More information about the Snort-users mailing list