Snort mailing list archives
Re: Log vs. Alert --end the confusion!
From: Chris Green <cmg () sourcefire com>
Date: Tue, 13 Aug 2002 10:04:49 -0400
"Williams Jon" <WilliamsJon () JohnDeere com> writes:
While we're talking about how preprocessors log packets, could someone help me out with the stream4 preprocessor? There are a number of seemingly useful alerts that come out of it, such as the TTL evasion alerts, but when I go to the log, it looks as if snort only logs the last packet or the one that actually triggered the alert. As a result, it is very difficult to go back through and describe to the "attacker" or their ISP what the activity was. Obviously, the stream4 preprocessor had to have had all of the packets go through it and remember that the TTL was 5 on packet A, 8 on B, and so on. Is it possible to get it to write out all the packets in the offending stream?
I could add a flush the stream to the logging subsystem call but that's not guaranteed to show the initial packet that set the ttl. in 1.9, the ttl_evasion stuff will only go off if the current packet is a low number.
This goes for all the alerts that come out of this preprocessor, and not just the TTL one.
When we switch to a better logging subsystem, a lot more information about "WHAT" happened will be great. -- Chris Green <cmg () sourcefire com> A watched process never cores. ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Log vs. Alert --end the confusion! Steve Halligan (Aug 12)
- Re: Log vs. Alert --end the confusion! Chris Green (Aug 12)
- <Possible follow-ups>
- RE: Log vs. Alert --end the confusion! Williams Jon (Aug 13)
- Re: Log vs. Alert --end the confusion! Chris Green (Aug 13)