Re: log single packet vs reassmbled stream

[Thomas Anderson <neo_ait () yahoo com>]

Hi all,
 
I am trying to capture session data of an average mail or data transfer .... So i think we can out an upper limit to 
the session data size... so that most of the traffic session can be caught....
 
So is there any way to provide such information to snort ?? or do i have to modify some code to do the adjustment ??
 
Regards
Thomas

Jason Haar <Jason.Haar () trimble co nz> wrote:
Alex Butcher, ISC/ISYS wrote:

> > I know about the tag keyword..... Is there any other way so that the
> > entire session can be logged, if alert is generated in any of its
> > packet....
>
>
> sguil can integrate snort with tcpdump, apparently. I've thought about 
> doing something similar using flexresp, tethereal (in ring-log-file 
> mode) and a shell script or similar.


I think Thomas that you need to think through what you are asking. What 
if the traffic in question ends up being a 6Gb DVD download? No IDS 
system will log such amounts of data - it would cause a DoS attack 
against the IDS (i.e. it would run out of memory, CPU, DISK, take your 
pick). Also think about if you were using the SQL backend - can your 
database handle a 6Gb BLOB object? :-). With Snort, a logged event 
contains the section that triggered the alert plus "a bit" of extra data 
around it - but it doesn't capture the entire session.

If you are sure you need such capabilities, then as Alex says, there may 
be other options...

Jason


                
---------------------------------
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!