Snort mailing list archives
Preprocessor logging (was: Log vs. Alert --end the confusion!)
From: "Williams Jon" <WilliamsJon () JohnDeere com>
Date: Tue, 13 Aug 2002 13:23:31 -0500
If the stream gets flushed on an alert in the preprocessor, will it get written out as individual packets, each with their original header, or will they all get "reconstituted" into a stream pseudopacket? When trying to track down some of these issues, having the original packet headers is the only way to find out what's going on. <blue-sky wishlist> As kind of a side note, has anyone looked into a rolling buffer of sorts to allow a certain amount of history? I mean, snort's tag: thingie is great for recording what happend _after_ an alert, but a lot of the time, its what happened _before_ that is really useful for determining what's going on. Similar to the issues I've run into with the preprocessor alerts is that looking at the actual packet that triggered the alert only gets you so far. It would be very useful to be able to have an IDS that would buffer packets for a short period of time for a given src/dest pair and if, during that conversation/time period, any of the packets triggered an alert, write everything to the log rather than just that one packet. If nothing alerts in that conversation or if the timeout is exceeded, the buffer gets flushed. </blue-sky wishlist> Jon
-----Original Message----- From: Chris Green [mailto:cmg () sourcefire com] I could add a flush the stream to the logging subsystem call but that's not guaranteed to show the initial packet that set the ttl. in 1.9, the ttl_evasion stuff will only go off if the current packet is a low number.This goes for all the alerts that come out of this preprocessor, and not just the TTL one.When we switch to a better logging subsystem, a lot more information about "WHAT" happened will be great.
------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Preprocessor logging (was: Log vs. Alert --end the confusion!) Williams Jon (Aug 13)
- Re: Preprocessor logging (was: Log vs. Alert --end the confusion!) Chris Green (Aug 13)
- difference between the capability of snort and a dynamic firewall!??!?!!? funky (Aug 14)
- Re: difference between the capability of snort and a dynamic firewall!??!?!!? Matt Kettler (Aug 14)