Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: -b binary logging question

From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 3 Sep 2002 00:52:09 -0700 (PDT)
On Mon, 2 Sep 2002, John Sage wrote:


Having a discussion off-list about the -b binary logging switch, and
suddenly I'm wondering...

Does the -b binary logging switch *always* record all packets on the
interface?


No, not unless you are logging everything that comes over the wire.


Or is the set of packets logged by -b changed when one starts to
specify a snort.conf and thus check the packets against rules, whether
alerts or passes?


Yes.  :)


"If you're on a high speed network or you want to log the packets into
a more compact form for later analysis you should consider logging in
"binary mode". Binary mode logs the packets in "tcpdump format" to a
single binary file in the logging directory:

./snort -l ./log -b

Note the command line changes here. We don't need to specify a home
network any longer because binary mode logs everything into a single
file, which eliminates the need to tell it how to format the output
directory structure."


This implies that -b gets everything.

OK: does it *always* get everything?


No, only if an alert, log, or <user_type> rule matched.

I think the 'everything' mentioned there is 'all the packet and alert info'.
Otherwise, you have alerts one place and packet dumps another.

You _do_ need to use a '-h' or a 'reference net' config directive when
obfuscating things.  Otherwise it won't know which side of the packet to
munge.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: