Snort mailing list archives
Re: Snort, unified/database output plugins, session capture
From: "AJ Butcher, Information Systems and Computing" <Alex.Butcher () bristol ac uk>
Date: Thu, 25 Mar 2004 17:22:28 +0000
--On 25 March 2004 10:05 -0500 "Andrew R. Baker" <andrewb () snort org> wrote:
AJ Butcher, Information Systems and Computing wrote:What is the preferred mechanism for logging sessions in this manner? Do *any* of them even work when using unified or database logging? The Snort 2.1.x manual indicates that 'tag' doesn't work with database logging, and 'logto' doesn't work in binary mode. It says nothing about 'session'.The unified output plugins definitely support the tag option. When tagging is enabled, all of the tagged packets will be written to the unified log file.
Ah-ha. Thanks for confirming that. Indeed, enabling this for the custom rule (tag: session,10,seconds) does the job, and, having Snort log directly ot the db, some alerts of unknown signature show up in the database containing the rest of the session.
Additionally, with recent versions of Snort, if an alert is triggered on a reassembled stream, then all of the packets for the stream will also be written to the unified log file. While I cannot speak for mudpit, Barnyard will process the tagged packets.
It looks as though mudpit-1.3 throws the tagged packets away, along with the original alert if the signature uses 'log', and only logs the triggering packet if the signature uses 'alert'. :(
Maybe I need to look at Barnyard again, now 0.2-beta2 is out.
However, how the are processed is up to the discretion of each outputplug-in. I do know that the ACID database output plugin in Barnyard does not treat tagged packets properly. IIRC, each tagged packet will become
a > new event entry in the database instead of having all the packets
associated with a single event. This is a limitation of the database design since it significantly predates tagged packet support.
Darn, a USP for Sourcefire! ;-)
-A
Thanks, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort, unified/database output plugins, session capture AJ Butcher, Information Systems and Computing (Mar 25)
- Re: Snort, unified/database output plugins, session capture Andrew R. Baker (Mar 25)
- Re: Snort, unified/database output plugins, session capture AJ Butcher, Information Systems and Computing (Mar 25)
- Re: Snort, unified/database output plugins, session capture Andrew R. Baker (Mar 25)