Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort outputting like tcpdump

From: "Christopher Lyon" <cslyon () netsvcs com>
Date: Sun, 19 Jan 2003 10:05:08 -0800
Got it,
So I would be better off using tcpdump, ethereal or something like that
do capture what I want and log it to a separate database.




-----Original Message-----
From: Erek Adams [mailto:erek () snort org]
Sent: Friday, January 17, 2003 9:21 AM
To: Christopher Lyon
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort outputing like tcpdump

On Fri, 17 Jan 2003, Christopher Lyon wrote:


Is there a way not log the payload?


Short answer:  No.

Longer answer:  I don't have my Stephens book handy right now, it's
somewhere buried in a moving box, so this info isn't as acurate as I

would

like.  Different types of packets have different header sizes.  One

may

have 40 bytes, one may have 60 bytes, etc.  As I said, Tcpdump grabs

68

bytes of the packet and works with that.  Snort grabs 1514 bytes.  If

you

want to change how much Snort grabs, use the -P command line option.
snort -P 68 will have Snort reading exactly as Tcpdump would.

If you're attempting to use that for Intrusions, it's all but

worthless.

If you're trying to do it for tracking your users, just use tcpdump,
urlsnarf, or something like that.  If you're trying to get it into a

DB,

modify the db ouptut plugin not to send the payload once it's got the
headers decoded.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




-------------------------------------------------------
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: