Re: Log vs. Alert --end the confusion!

[Chris Green <cmg () sourcefire com>]

"Williams Jon" <WilliamsJon () JohnDeere com> writes:

> While we're talking about how preprocessors log packets, could someone help
> me out with the stream4 preprocessor?  There are a number of seemingly
> useful alerts that come out of it, such as the TTL evasion alerts, but when
> I go to the log, it looks as if snort only logs the last packet or the one
> that actually triggered the alert.  As a result, it is very difficult to go
> back through and describe to the "attacker" or their ISP what the activity
> was.  Obviously, the stream4 preprocessor had to have had all of the packets
> go through it and remember that the TTL was 5 on packet A, 8 on B, and so
> on.  Is it possible to get it to write out all the packets in the offending
> stream? 

I could add a flush the stream to the logging subsystem call but
that's not guaranteed to show the initial packet that set the ttl.  in
1.9, the ttl_evasion stuff will only go off if the current packet is a
low number.

> This goes for all the alerts that come out of this preprocessor, and
> not just the TTL one.

When we switch to a better logging subsystem, a lot more information
about "WHAT" happened will be great.
-- 
Chris Green <cmg () sourcefire com>
A watched process never cores.


-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users