Snort mailing list archives
Re: Need to log FULL packets
From: Junaidi Bin Sapari <junaidi () securecirt com>
Date: Thu, 14 Mar 2002 06:04:06 +0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 14 March 2002 02:59, Matt Kettler wrote: Snort is able to do tagging. This is based on the rule which is triggered. Once a rule is triggered, all the traffic involving the source host is logged. Below is one of my example, so just apply the same for which particular rules you want. (from web-iis.rules) alert tcp $EXTERNAL_NET any -> $IIS_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:2; tag: host, 300, packets, src;)
Well, first I'm wondering what version of snort you are running. Snort 1.9??? Erm, snort 1.8.4 isn't even in non beta yet as far as I can tell (1.8.4 beta4 was released march 2). Is 1.9 what the CVS image tarballs call themselves? If so, why are you using snort-current for production use? (that's a development branch snapshot, which really could use a better name on the website, the term "current" risks implying "current release"). As far as switches go -X (full dump including IP headers) or -d (application layer only, no IP headers) should be all you need. You claim the data looks like it is "cut off", since this is UDP we are talking about, have you checked to make sure you're not only catching one fragment of a multi-fragment UDP packet. Note that dumping the application layer data like this will slow snort down enough that it becomes quite likely that if a UDP packet gets fragmented you may miss some of the following fragments while the first one is dumped. If this is the case, you might make sure that the frag2 preprocessor is on to defragment the UDP packet prior to passing it up and dumping it. At 01:06 PM 3/13/2002 -0500, Sheahan, Paul (PCLN-NW) wrote:Hello, I'm doing an investigation on some unusual UDP traffic on my network and am using Snort 1.9 on Linux to monitor the data. The traces of each packet are getting cut off in the logs. How can I be sure I am getting ALL of each packet in the traces? The more info I can gather on each packet during this test would be ideal (I'm not concerned about speed or missed packets). Can anyone recommend the correct Snort switches so I can gather the MOST thorough data? Thanks in advance! Paul_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8j8zZInIYkBVpGqURAgyRAJ9zO9/ZF1gEGcb0B3nFJgK+PWeo1gCfbhX/ JXwA9LoxFtePIMqek6HRh/M= =G5k+ -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Need to log FULL packets Sheahan, Paul (PCLN-NW) (Mar 13)
- <Possible follow-ups>
- Re: Need to log FULL packets Matt Kettler (Mar 13)
- Re: Need to log FULL packets Junaidi Bin Sapari (Mar 13)
- Message not available
- Re: Need to log FULL packets Matt Kettler (Mar 13)
- Re: Need to log FULL packets Brian (Mar 19)