Re: configure snort to drop payloads

[Chris Keladis <Chris.Keladis () cmc cwo net au>]

"Dr. Richard W. Tibbs" wrote:

> Hey, can you identify what .c in the snort distrib you are modifying below?
> Thx.
>
> James Hoagland wrote:
>
> > At 6:07 AM -0800 4/2/02, Lyle Sudin wrote:
> >
> > > Is there an easy way to run snort in packet sniffing
> > > mode which will be able to keep up with a 100MB
> > > connection, log in tcpdump format, and only log the
> > > packet headers?
> > >
> > > The -b switch seems to keep up with the traffic and
> > > not drop packets but includes the payload in addition
> > > to the headers.  I need to do all the parsing before
> > > writing to disk (both privacy and disk space concerns)
> > > so I am looking for either a switch I am missing or
> > > code to edit.

Not sure if this has been discussed at all in this thread, but a way to
minimize your processing if your not interested in the payload would
be to simply bring your snaplen down.

Checking Snort 1.8.6 it defaults to 1514 bytes so Snort sees everything,
but through the -P option you could set it to 68 bytes which is generally
enough to log the packet headers with a minimum of payload.

It is probably slightly faster than the proposed patch at the expense of
capturing a little bit of payload still.



YMMV.


Regards,

Chris.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users