Snort mailing list archives
Re: log single packet vs reassmbled stream
From: Thomas Anderson <neo_ait () yahoo com>
Date: Mon, 4 Oct 2004 19:06:28 -0700 (PDT)
Hi all, I am trying to capture session data of an average mail or data transfer .... So i think we can out an upper limit to the session data size... so that most of the traffic session can be caught.... So is there any way to provide such information to snort ?? or do i have to modify some code to do the adjustment ?? Regards Thomas Jason Haar <Jason.Haar () trimble co nz> wrote: Alex Butcher, ISC/ISYS wrote:
I know about the tag keyword..... Is there any other way so that the entire session can be logged, if alert is generated in any of its packet....sguil can integrate snort with tcpdump, apparently. I've thought about doing something similar using flexresp, tethereal (in ring-log-file mode) and a shell script or similar.
I think Thomas that you need to think through what you are asking. What if the traffic in question ends up being a 6Gb DVD download? No IDS system will log such amounts of data - it would cause a DoS attack against the IDS (i.e. it would run out of memory, CPU, DISK, take your pick). Also think about if you were using the SQL backend - can your database handle a 6Gb BLOB object? :-). With Snort, a logged event contains the section that triggered the alert plus "a bit" of extra data around it - but it doesn't capture the entire session. If you are sure you need such capabilities, then as Alex says, there may be other options... Jason --------------------------------- Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage!
Current thread:
- log single packet vs reassmbled stream Thomas Anderson (Oct 03)
- Re: log single packet vs reassmbled stream Alex Butcher, ISC/ISYS (Oct 04)
- Re: log single packet vs reassmbled stream Thomas Anderson (Oct 04)
- Re: log single packet vs reassmbled stream Alex Butcher, ISC/ISYS (Oct 04)
- Re: log single packet vs reassmbled stream Jason Haar (Oct 04)
- Re: log single packet vs reassmbled stream Thomas Anderson (Oct 04)
- Re: log single packet vs reassmbled stream Alex Butcher, ISC/ISYS (Oct 05)
- Re: log single packet vs reassmbled stream Thomas Anderson (Oct 04)
- Re: log single packet vs reassmbled stream Alex Butcher, ISC/ISYS (Oct 04)