Snort mailing list archives
RE: Snort outputting like tcpdump
From: "Christopher Lyon" <cslyon () netsvcs com>
Date: Sun, 19 Jan 2003 10:05:08 -0800
Got it, So I would be better off using tcpdump, ethereal or something like that do capture what I want and log it to a separate database.
-----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Friday, January 17, 2003 9:21 AM To: Christopher Lyon Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort outputing like tcpdump On Fri, 17 Jan 2003, Christopher Lyon wrote:Is there a way not log the payload?Short answer: No. Longer answer: I don't have my Stephens book handy right now, it's somewhere buried in a moving box, so this info isn't as acurate as I
would
like. Different types of packets have different header sizes. One
may
have 40 bytes, one may have 60 bytes, etc. As I said, Tcpdump grabs
68
bytes of the packet and works with that. Snort grabs 1514 bytes. If
you
want to change how much Snort grabs, use the -P command line option. snort -P 68 will have Snort reading exactly as Tcpdump would. If you're attempting to use that for Intrusions, it's all but
worthless.
If you're trying to do it for tracking your users, just use tcpdump, urlsnarf, or something like that. If you're trying to get it into a
DB,
modify the db ouptut plugin not to send the payload once it's got the headers decoded. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson
------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort outputting like tcpdump Christopher Lyon (Jan 19)
- RE: Snort outputting like tcpdump Erek Adams (Jan 19)