Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Log everything in NIDS mode (yet not all packets are getting logged)

From: Bryan Leavitt <dansagsun () gmail com>
Date: Tue, 17 May 2005 14:24:02 -0400
My goal is to both a) log all tcp packets in binary and b) also run in
realtime NIDS mode (any alerts being sent to both unified.log and
unified.alert files).

To accomplish this, I've defined a custom rule type and changed the
rule order around so that it gets called first.

snort.conf stuff:

# create custom logging rule-type
ruletype logall
{
    type log
    output log_tcpdump: snort.tcpdump.log
}

# log rule
logall tcp any any <> any any

# change order that rules are evaluated
config order: logall activation dynamic alert pass log


Yet it still appears some packets aren't getting logged.  


Snort received 1501 packets
    Analyzed: 1501(100.000%)
    Dropped: 0(0.000%)
===============================================================================
Breakdown by protocol:
    TCP: 1212       (80.746%)
    UDP: 96         (6.396%)
   ICMP: 1          (0.067%)
    ARP: 71         (4.730%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 121        (8.061%)
DISCARD: 0          (0.000%)
===============================================================================
Action Stats:
ALERTS: 1
LOGGED: 1109
PASSED: 0


Shouldn't I be seing LOGGED == 1212 ??  What packets are NOT being logged?  

As a sanity check, I can run snort in packet logging mode and the
"analyzed" and "logged" counts are nearly identical (well, off by a
few packets...I assume that's because a few packets may get analyzed
yet not logged before it receives my Ctrl-C signal).

I started disabling other preprocessors, especially the stream
preprocessors, as well as the -z option, and that seemed to help.  My
theory is that some preprocessors may silently pass packets?  But if
I've changed the rule order to logall first, shouldn't this stuff get
logged before any dection routines are called?

Any suggestions?

-Bryan


-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_idt12&alloc_id344&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: