Snort mailing list archives
Re: Double logging :(
From: "dorwin" <dorwin () swbell net>
Date: Tue, 12 Aug 2003 20:44:58 -0500
I'm on a test network that has no other traffic. As a test I telneted the smtp server and sent a single message. The resulting session file has the message in it exactly twice. Dorwin ----- Original Message ----- From: "Erek Adams" <erek () snort org> To: "Dorwin T. Shields, Jr." <dorwin () earthlink net> Cc: <snort-users () lists sourceforge net> Sent: Tuesday, August 12, 2003 12:56 PM Subject: Re: [Snort-users] Double logging :(
On Tue, 12 Aug 2003, Dorwin T. Shields, Jr. wrote:I'm attempting to capture s mtp sessions in snort. I capture to a binary file for efficiency then replay into snort using options -de -r <file> -c <config>.Make life simpler. Use mailsnarf from the dsniff toolkit [0].My config file has only a few rules (if memory serves): frag2 stream4: timeout 60 stream4_reassembly: client only log tcp any any -> any 25 (session: printable;) I limit to port 25 during the capture. Every session file I get is twice as large as it should be. It looks like everything is doubled. Is it something I'm doing or is this broken? Also, I tried using version 1.9.1 and it did the same thing on both linux and windows.Can you be a bit more clear? Define "looks like everything is doubled". How do you know _what_ size the session file should be? Are you accounting for the overhead of the pcap headers and file structure? Version won't matter since a pcap formatted file is a pcap formatted file. ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson [0] http://naughty.monkey.org/~dugsong/dsniff/ ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- double logging :( Dorwin T. Shields, Jr. (Aug 12)
- <Possible follow-ups>
- Double logging :( Dorwin T. Shields, Jr. (Aug 12)
- Re: Double logging :( Erek Adams (Aug 12)
- Re: Double logging :( dorwin (Aug 13)
- Re: Double logging :( Erek Adams (Aug 13)
- Re: Double logging :( Patrick Dolan (Aug 13)
- Re: Double logging :( Erek Adams (Aug 12)