Snort mailing list archives
Re: SNORT / Shadow config setting question
From: Erek Adams <erek () snort org>
Date: Tue, 27 May 2003 11:57:21 -0400 (EDT)
On Fri, 23 May 2003, Raven, Mark wrote:
As a follow-up to a SAS70 audit, our auditing firm has requested I cut and paste to them the lines in the shadow and SNORT config file(s) where it proves that all packet headers are being logged. Is any one out there a SNORT and Shadow guru and can point me to the right file and appropriate lines so I can get this auditor out of my hair? Thanks.
Well... There isn't a place in the config files that that is. It simply has to do with the way both Snort and tcpdump (the driving program behind SHADOW) record the data. tcpdump has a default snaplen (amount of bytes you record per packet) of 68 bytes. From the tcpdump man page: -s snaplen Analyze at most the first snaplen bytes of data from each packet rather than the default of 68. 68 bytes is adequate for IP, ICMP, TCP, and UDP but may truncate protocol information from name server and NFS packets (see below). Packets truncated because of a limited snaplen are indicated in the output with ``[|proto]'', where proto is the name of the protocol level at which the truncation has occurred. Taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering. This may cause packets to be lost. You should limit snaplen to the smallest number that will capture the protocol information you're interested in. Snort defaults it's snaplen to 1514 bytes. From decode.h: 303 /* IRIX 6.2 hack! */ 304 #ifndef IRIX 305 #define SNAPLEN 1514 306 #else 307 #define SNAPLEN 1500 308 #endif That sets the default SNAPLEN to 1500 on IRIX 6.2 and 1514 to all other OS's. So that's not part of the config, but it's there in the man pages and the source code.... Hope that helps! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SNORT / Shadow config setting question Raven, Mark (May 23)
- Re: SNORT / Shadow config setting question Erek Adams (May 27)