RE: snort with 2 nics - collecting only UDP data

["Tinu Patel" <tinu.patel () insignis com>]

What is spp_stream4 and http_decode?  How do I disable them?
 
-----Original Message-----
From: Matt Kettler [mailto:mkettler () evi-inc com] 
Sent: Tuesday, November 27, 2001 1:54 PM
To: Tinu Patel
Subject: RE: [Snort-users] snort with 2 nics - collecting only UDP data
 
Do you have spp_stream4 on? this does some stateful inspection and
filters a lot of harmless garbage out, but it also means that unless the
packets you are observing wind up with established connections they may
not be processed by your log rule.

If your desire is to log everything I'd disable all the spp_stream*
preprocessors and the http_decode one. I'd also consider disabling the
fragmentation processors.

        Those suggestions aside, I'd try getting the system working with
snorts default logging first, then switch to acid/mysql. This will take
mysql and acid setup problems out of the possible sources of your
problem. 

        Once it works with the default logging, if it stops working when
you enable acid, it's likely an acid/mysql setup problem. Unfortunately
I can't help you with those problems, I use the default logging and
snortsnarf.

At 02:34 PM 11/27/2001, you wrote:



Thanks a lot for the feedback&&.i removed the extra any from the
snort.conf file&&and I am using log because I am entering data into a
mysql database and using ACID as a front end.  In my snort.conf file if
I do :