Snort mailing list archives
Re: Stream/Packet Capture with Snort
From: Marc Norton <mnorton () sourcefire com>
Date: Tue, 10 May 2005 09:48:47 -0400
You cannot capture packets prior to the event packet, usually. The exception is if the session data is being reassembled. If a specific stream is being saved for reassembly and an event packet comes along, all of the saved packets are logged. Otherwise, snort does not buffer up session data as would be needed to log packets prior to an event generating packet. Once a packet causes an event you can use event tagging to log the rest of the session.
Paul Melson wrote:
I'm using one of my Snort sensors (v2.3.2 w/ flexresp) to monitor, among other things, outbound e-mail traffic. Right now I am logging to a MySQL database and can view the offending packet data on a per-alert basis. In the case of e-mail traffic, packet captures of lengthy messages (say thosewith MIME attachments) don't always include the message headers.I have been reading up on stream4 and stream4_reassemble, hoping that I can force Snort to match on (and thus log) the entire "client" side conversation to the database, but I'm not having any luck. Here are the preprocessorlines from my snort.conf file:preprocessor stream4: enforce_state disable_evasion_alerts memcap 67108864 preprocessor stream4_reassemble: clientonly, ports 25 Unfortunately, I still only get the packet with the offending string in the database. Am I barking up the wrong tree here? Thanks, PaulM ------------------------------------------------------- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IP address format in database nadias (May 04)
- Re: IP address format in database Wes Young (May 05)
- Stream/Packet Capture with Snort Paul Melson (May 09)
- Re: Stream/Packet Capture with Snort Marc Norton (May 11)
- RE: Stream/Packet Capture with Snort Paul Melson (May 10)
- Stream/Packet Capture with Snort Paul Melson (May 09)
- Re: IP address format in database Wes Young (May 05)
- Re: IP address format in database Adam Pointon (May 10)