Re: configure snort to drop payloads

[Erek Adams <erek () theadamsfamily net>]

On Wed, 17 Apr 2002, Lyle Sudin wrote:

> Unfortunately the mandate is not to write ANY payload
> data to disk so changing the snaplen will not satisfy
> the requirements.
>
> No one said this was going to be easy...

Ok, my apologies to anyone for offending them, but....

Lyle, you're fscked on this--Like you don't already know that.  :-/

Due to the differences the types of traffic on the wire, one snaplen won't
cover everything.  IOW, if you drop it down, you'll miss part of the data you
need for one type of traffic.  68 will make sure you get it all as that's the
largest header size tha should be seen.

Possible workaround:  Change the MIN_SNAPLEN in decode.h to something smaller
for each type of traffic you want to parse.  Break out TCP/IP Illustrated and
get the header lengths for all the protos you want to parse and change as
needed.  You'll need to build a different version for each proto you want to
'check'.  One for TCP, one for UDP, etc...

<rant>

Now if this is all due to a Pointy Hair Boss Mandate (PHBM), you might want to
inform him that if someone is looking at the headers only--no payload--it's
just as much of a privacy invasion.  I mean how would he feel if his love of
the IP 66.33.60.13, port 80 was known to the world?  Here, let's track JUST
YOUR IP for a week and see how you like it.  *sigh*

</rant>

Sorry Lyle....  And good luck!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users