Snort mailing list archives
RE: Snort outputing like tcpdump
From: Erek Adams <erek () snort org>
Date: Fri, 17 Jan 2003 12:20:57 -0500 (EST)
On Fri, 17 Jan 2003, Christopher Lyon wrote:
Is there a way not log the payload?
Short answer: No. Longer answer: I don't have my Stephens book handy right now, it's somewhere buried in a moving box, so this info isn't as acurate as I would like. Different types of packets have different header sizes. One may have 40 bytes, one may have 60 bytes, etc. As I said, Tcpdump grabs 68 bytes of the packet and works with that. Snort grabs 1514 bytes. If you want to change how much Snort grabs, use the -P command line option. snort -P 68 will have Snort reading exactly as Tcpdump would. If you're attempting to use that for Intrusions, it's all but worthless. If you're trying to do it for tracking your users, just use tcpdump, urlsnarf, or something like that. If you're trying to get it into a DB, modify the db ouptut plugin not to send the payload once it's got the headers decoded. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will allow you to extend the highest allowed 128 bit encryption to all your clients even if they use browsers that are limited to 40 bit encryption. Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort outputing like tcpdump Christopher Lyon (Jan 16)
- Re: Snort outputing like tcpdump Erek Adams (Jan 17)
- <Possible follow-ups>
- RE: Snort outputing like tcpdump Gonzalez, Albert (Jan 17)
- RE: Snort outputing like tcpdump Christopher Lyon (Jan 17)
- RE: Snort outputing like tcpdump Erek Adams (Jan 17)
- IM Logging - How to? Angel Gabriel (Jan 17)
- RE: IM Logging - How to? Kevin Pietersma (Jan 17)