Snort mailing list archives
Re: Double logging in alert_fast - Problem solved
From: Zultan <zultan () mad scientist com>
Date: Mon, 19 Sep 2005 01:03:59 +0000
Please disregard the below. Removing the tag:session option from the log line stopped the double logging. My apologies to the list... ----- Original Message ----- From: Zultan <zultan () mad scientist com> To: snort-users () lists sourceforge net Subject: [Snort-users] Double logging in alert_fast Date: Fri, 16 Sep 2005 04:22:03 +0000
I know ASCII logging bad, and that binary logging would be much better for this, but still, I need to do it. Also according to the archives, this was an issue before 1.8.1. While trying to grab entire TCP sessions with a hostile IP, it logs each packet twice after the 3way handshake. Running 2.4 and testing from the command line with: snort -d -i eth0 -l ./log -m 027 -y -c ./host-svr.rules ---------------- host-svr.rules is: ---------------- var HOME_NET [x.x.x.x/32] var EXTERNAL_NET any include ./class.config output alert_fast: alert var HOSTILE_SVRS [IPaddress/32] alert tcp $HOME_NET any -> $HOSTILE_SVRS any (msg:"SYN to HOSTILE server";flags:S;) alert tcp $HOSTILE_SVRS any -> $HOME_NET any (msg:"SYN/ACK from HOSTILE server"; flags:SA;) log tcp $HOSTILE_SVRS any <> $HOME_NET any (flow:established; tag:session,5000,packets;)
-- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Double logging in alert_fast - Problem solved Zultan (Sep 18)