Snort mailing list archives
Re: Logging Reassembled Packets
From: John Curry <john.curry () metre net>
Date: Fri, 14 Mar 2008 03:15:35 -0500
Hello Kam, SANCP provides ICMP and UDP session logging. Version 1.6.1 is stable. Link: http://metre.net/sancp.html Regards, -John Curry Kamran Shafi wrote:
Thank you all for your kind replies, I am overwhelmed. It is bit disappointing that the reassembled sessions can not be logged by Snort, afterall Snort CAN also work as a packet logger and log in pcap format, then why is it that there is no option to log the re-built packets - a functionality that Snort implements. BTW, I just wanted to have a summary record of each session (initiated with a 3WHS and terminated by a 4WHS) similar to the Snort's summary log packet for portscans - I am not sure how tcpdump or other software mentioned in this thread can do that. It looks like I will have to write one myself. In addition I also wanted to track UDP and ICMP sessions - any ideas on how to do that? All this exercise to build a useful dataset for evaluating my little supervised learning algorithm aimed at intrusion detection - Ah!!! On Fri, Mar 14, 2008 at 5:15 PM, Will Metcalf <william.metcalf () gmail com <mailto:william.metcalf () gmail com>> wrote: If you have a couple of spare cpu's lying around you could always try out gulp... http://staff.washington.edu/corey/gulp/ Regards, Will On Thu, Mar 13, 2008 at 11:07 PM, Jeremy <cjeremy () gmail com <mailto:cjeremy () gmail com>> wrote: > Not trying to steal the thread here, but I have to ask since I have > never really stress tested damonlogger. Do you all think it performs > better than tcpdump at writing packets to disk? This never crossed my > mine to evaluate before now, as I have only used damonlogger to play > traffic out another interface.... If yes, any document on this claim > out there? Running to Google now to see if I can't find something on > this while I wait for responses ;) > > --jeremy > > > > On Thu, Mar 13, 2008 at 8:40 PM, Martin Roesch <roesch () sourcefire com <mailto:roesch () sourcefire com>> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Correction. You should use Daemonlogger! > > > > :) > > > > -Marty > > > > > > > > On Mar 13, 2008, at 8:20 PM, Jason wrote: > > > > > snort is not intended to log full reassembled streams, it is > > > intended to > > > detect intrusion attempts and log the relevant data associated with > > > those attempts. If you want full session logging you should use > > > tcpdump. > > > > > > Kamran Shafi wrote: > > >> I notice that there is a show_rebuilt_packets option in steam5_global > > >> configuration, which I have turned on but don't know if it is > > >> producing > > >> anything. I run snort on some traffic collected on a web/dns/mysql > > >> server > > >> using -r flag. The log shows that snort filters out the server's > > >> response > > >> and keeps only the inbound traffic - I am not sure if this > > >> behaviour is > > >> because of the stream 5 processor or else? > > >> > > >> On Fri, Mar 14, 2008 at 12:56 AM, Joel Esler <joel.esler () sourcefire com <mailto:joel.esler () sourcefire com> > > >> > > > >> wrote: > > >> > > >>> Again, a visit to the readme's in the doc/ directory should help > > >>> you. > > >>> Look up "log_flushed_streams" in the stream4 readme. > > >>> Joel > > >>> > > >>> On Mar 13, 2008, at 2:36 AM, Kamran Shafi wrote: > > >>> > > >>> Hi All, > > >>> > > >>> Is there a way to log the reassembled (TCP/UDP/ICMP) sessions in > > >>> Snort? > > >>> > > >>> -- > > >>> Regards > > >>> Kam > > >>> ------------------------------------------------------------------------- > > >>> This SF.net email is sponsored by: Microsoft > > >>> Defy all challenges. Microsoft(R) Visual Studio 2008. > > >>> > > >>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________ > > >>> Snort-users mailing list > > >>> Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> > > >>> Go to this URL to change user options or unsubscribe: > > >>> https://lists.sourceforge.net/lists/listinfo/snort-users > > >>> Snort-users list archive: > > >>> http://www.geocrawler.com/redir-sf.php3?list=snort-users > > >>> > > >>> > > >>> > > >>> -- > > >>> Joel Esler joel.esler () sourcefire com <mailto:joel.esler () sourcefire com> > > >>> > > >>> > > >>> > > >>> > > >>> > > >> > > >> > > >> > > >> ------------------------------------------------------------------------ > > >> > > >> ------------------------------------------------------------------------- > > >> This SF.net email is sponsored by: Microsoft > > >> Defy all challenges. Microsoft(R) Visual Studio 2008. > > >> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > >> > > >> > > >> ------------------------------------------------------------------------ > > >> > > >> _______________________________________________ > > >> Snort-users mailing list > > >> Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> > > >> Go to this URL to change user options or unsubscribe: > > >> https://lists.sourceforge.net/lists/listinfo/snort-users > > >> Snort-users list archive: > > >> http://www.geocrawler.com/redir-sf.php3?list=snort-users > > > > > > ------------------------------------------------------------------------- > > > This SF.net email is sponsored by: Microsoft > > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > _______________________________________________ > > > Snort-users mailing list > > > Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> > > > Go to this URL to change user options or unsubscribe: > > > https://lists.sourceforge.net/lists/listinfo/snort-users > > > Snort-users list archive: > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users > > > > - -- > > Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 > > Sourcefire - Security for the Real World - http://www.sourcefire.com <http://www.sourcefire.com/> > > Snort: Open Source IDP - http://www.snort.org <http://www.snort.org/> > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.7 (Darwin) > > > > iD8DBQFH2degqj0FAQQ3KOARAoGaAJ0Qunysz07riv/NwgSEyvkXuaKmvwCfRmjD > > 9vfsXaAbtb93a6aPRD4QPso= > > =dxrz > > -----END PGP SIGNATURE----- > > > > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by: Microsoft > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > _______________________________________________ > > Snort-users mailing list > > Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> > > Go to this URL to change user options or unsubscribe: > > https://lists.sourceforge.net/lists/listinfo/snort-users > > Snort-users list archive: > > http://www.geocrawler.com/redir-sf.php3?list=snort-users > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Snort-users mailing list > Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/listinfo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users <https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users> list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Regards Kamran Shafi +61 41 824 9510 ------------------------------------------------------------------------ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Logging Reassembled Packets Kamran Shafi (Mar 12)
- Re: Logging Reassembled Packets Joel Esler (Mar 13)
- Re: Logging Reassembled Packets Kamran Shafi (Mar 13)
- Re: Logging Reassembled Packets Jason (Mar 13)
- Re: Logging Reassembled Packets Martin Roesch (Mar 13)
- Re: Logging Reassembled Packets Jeremy (Mar 13)
- Re: Logging Reassembled Packets Will Metcalf (Mar 13)
- Re: Logging Reassembled Packets Kamran Shafi (Mar 14)
- Re: Logging Reassembled Packets Patrik Nordlén (Mar 14)
- Re: Logging Reassembled Packets Martin Roesch (Mar 14)
- Re: Logging Reassembled Packets John Curry (Mar 14)
- Re: Logging Reassembled Packets Kamran Shafi (Mar 13)
- Re: Logging Reassembled Packets Joel Esler (Mar 13)
- Re: Logging Reassembled Packets Martin Roesch (Mar 14)