Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Double logging in alert_fast - Problem solved

From: Zultan <zultan () mad scientist com>
Date: Mon, 19 Sep 2005 01:03:59 +0000
Please disregard the below.

Removing the tag:session option from the log line stopped the double logging.

My apologies to the list...


----- Original Message -----
From: Zultan <zultan () mad scientist com>
To: snort-users () lists sourceforge net
Subject: [Snort-users] Double logging in alert_fast
Date: Fri, 16 Sep 2005 04:22:03 +0000



I know ASCII logging bad, and that binary logging would be much better for 
this, but still, I need to do it.   Also according to the archives, this was 
an issue before 1.8.1.

While trying to grab entire TCP sessions with a hostile IP, it logs each 
packet twice after the 3way handshake.  Running 2.4 and testing from the 
command line with:

snort -d -i eth0 -l ./log -m 027 -y -c ./host-svr.rules

----------------
host-svr.rules is:
----------------

var HOME_NET [x.x.x.x/32]
var EXTERNAL_NET any
include ./class.config
output alert_fast: alert

var HOSTILE_SVRS [IPaddress/32]

alert tcp $HOME_NET any -> $HOSTILE_SVRS any (msg:"SYN to HOSTILE 
server";flags:S;)
alert tcp $HOSTILE_SVRS any -> $HOME_NET any (msg:"SYN/ACK from HOSTILE 
server"; flags:SA;)
log tcp $HOSTILE_SVRS any <>  $HOME_NET any (flow:established; 
tag:session,5000,packets;)






-- 
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: