Re: Snort, unified/database output plugins, session capture

["Andrew R. Baker" <andrewb () snort org>]

AJ Butcher, Information Systems and Computing wrote:
> What is the preferred mechanism for logging sessions in this manner?
>
> Do *any* of them even work when using unified or database logging? The 
> Snort  2.1.x manual indicates that 'tag' doesn't work with database 
> logging, and 'logto' doesn't work in binary mode. It says nothing about 
> 'session'.

The unified output plugins definitely support the tag option.  When 
tagging is enabled, all of the tagged packets will be written to the 
unified log file.  Additionally, with recent versions of Snort, if an 
alert is triggered on a reassembled stream, then all of the packets for 
the stream will also be written to the unified log file.  While I cannot 
speak for mudpit, Barnyard will process the tagged packets.  However, 
how the are processed is up to the discretion of each output plug-in.  I 
do know that the ACID database output plugin in Barnyard does not treat 
tagged packets properly.  IIRC, each tagged packet will become a new 
event entry in the database instead of having all the packets associated 
with a single event.  This is a limitation of the database design since 
it significantly predates tagged packet support.

-A



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users