Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SNORT / Shadow config setting question

From: Erek Adams <erek () snort org>
Date: Tue, 27 May 2003 11:57:21 -0400 (EDT)
On Fri, 23 May 2003, Raven, Mark wrote:


As a follow-up to a SAS70 audit, our auditing firm has requested I cut and
paste to them the lines in the shadow and SNORT config file(s) where it
proves that all packet headers are being logged.
Is any one out there a SNORT and Shadow guru and can point me to the right
file and appropriate lines so I can get this auditor out of my hair? Thanks.


Well...  There isn't a place in the config files that that is.  It simply
has to do with the way both Snort and tcpdump (the driving program behind
SHADOW) record the data.

tcpdump has a default snaplen (amount of bytes you record per packet) of
68 bytes.  From the tcpdump man page:

     -s snaplen
             Analyze at most the first snaplen bytes of data from each
             packet rather than the default of 68.  68 bytes is adequate
             for IP, ICMP, TCP, and UDP but may truncate protocol
             information from name server and NFS packets (see below).
             Packets truncated because of a limited snaplen are indicated
             in the output with ``[|proto]'', where proto is the name of
             the protocol level at which the truncation has occurred.
             Taking larger snapshots both increases the amount of time it
             takes to process packets and, effectively, decreases the
             amount of packet buffering.  This may cause packets to be
             lost.  You should limit snaplen to the smallest number that
             will capture the protocol information you're interested in.

Snort defaults it's snaplen to 1514 bytes.  From decode.h:

   303  /* IRIX 6.2 hack! */
   304  #ifndef IRIX
   305      #define SNAPLEN         1514
   306  #else
   307      #define SNAPLEN         1500
   308  #endif

That sets the default SNAPLEN to 1500 on IRIX 6.2 and 1514 to all other
OS's.

So that's not part of the config, but it's there in the man pages and the
source code....

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: