Snort mailing list archives

Re: Logging Reassembled Packets

From: John Curry <john.curry () metre net>
Date: Fri, 14 Mar 2008 03:15:35 -0500

Hello Kam,

SANCP provides ICMP and UDP session logging.  Version 1.6.1 is stable.
Link:   http://metre.net/sancp.html

Regards,

-John Curry

Kamran Shafi wrote:

Thank you all for your kind replies, I am overwhelmed.
 
It is bit disappointing that the reassembled sessions can not be
logged by Snort, afterall Snort CAN also work as a packet logger and
log in pcap format, then why is it that there is no option to log the
re-built packets - a functionality that Snort implements.
BTW, I just wanted to have a summary record of each session (initiated
with a 3WHS and terminated by a 4WHS) similar to the Snort's summary
log packet for portscans - I am not sure how tcpdump or other software
mentioned in this thread can do that. It looks like I will have to
write one myself. In addition I also wanted to track UDP and ICMP
sessions - any ideas on how to do that?
 
All this exercise to build a useful dataset for evaluating my little
supervised learning algorithm aimed at intrusion detection - Ah!!!
 
On Fri, Mar 14, 2008 at 5:15 PM, Will Metcalf
<william.metcalf () gmail com <mailto:william.metcalf () gmail com>> wrote:

    If you have a couple of spare cpu's lying around you could always try
    out gulp...

    http://staff.washington.edu/corey/gulp/

    Regards,

    Will
    On Thu, Mar 13, 2008 at 11:07 PM, Jeremy <cjeremy () gmail com
    <mailto:cjeremy () gmail com>> wrote:
    > Not trying to steal the thread here, but I have to ask since I have
    >  never really stress tested damonlogger. Do you all think it
    performs
    >  better than tcpdump at writing packets to disk?  This never
    crossed my
    >  mine to evaluate before now, as I have only used damonlogger to
    play
    >  traffic out another interface....  If yes, any document on this
    claim
    >  out there?  Running to Google now to see if I can't find
    something on
    >  this while I wait for responses ;)
    >
    >  --jeremy
    >
    >
    >
    >  On Thu, Mar 13, 2008 at 8:40 PM, Martin Roesch
    <roesch () sourcefire com <mailto:roesch () sourcefire com>> wrote:
    >  > -----BEGIN PGP SIGNED MESSAGE-----
    >  >  Hash: SHA1
    >  >
    >  >  Correction.  You should use Daemonlogger!
    >  >
    >  >  :)
    >  >
    >  >         -Marty
    >  >
    >  >
    >  >
    >  >  On Mar 13, 2008, at 8:20 PM, Jason wrote:
    >  >
    >  >  > snort is not intended to log full reassembled streams, it is
    >  >  > intended to
    >  >  > detect intrusion attempts and log the relevant data
    associated with
    >  >  > those attempts. If you want full session logging you
    should use
    >  >  > tcpdump.
    >  >  >
    >  >  > Kamran Shafi wrote:
    >  >  >> I notice that there is a show_rebuilt_packets option in
    steam5_global
    >  >  >> configuration, which I have turned on but don't know if it is
    >  >  >> producing
    >  >  >> anything. I run snort on some traffic collected on a
    web/dns/mysql
    >  >  >> server
    >  >  >> using -r flag. The log shows that snort filters out the
    server's
    >  >  >> response
    >  >  >> and keeps only the inbound traffic - I am not sure if this
    >  >  >> behaviour is
    >  >  >> because of the stream 5 processor or else?
    >  >  >>
    >  >  >> On Fri, Mar 14, 2008 at 12:56 AM, Joel Esler
    <joel.esler () sourcefire com <mailto:joel.esler () sourcefire com>
    >  >  >> >
    >  >  >> wrote:
    >  >  >>
    >  >  >>> Again, a visit to the readme's in the doc/ directory
    should help
    >  >  >>> you.
    >  >  >>> Look up "log_flushed_streams" in the stream4 readme.
    >  >  >>> Joel
    >  >  >>>
    >  >  >>>   On Mar 13, 2008, at 2:36 AM, Kamran Shafi wrote:
    >  >  >>>
    >  >  >>>  Hi All,
    >  >  >>>
    >  >  >>> Is there a way to log the reassembled (TCP/UDP/ICMP)
    sessions in
    >  >  >>> Snort?
    >  >  >>>
    >  >  >>> --
    >  >  >>> Regards
    >  >  >>> Kam
    >  >  >>>
    -------------------------------------------------------------------------
    >  >  >>> This SF.net email is sponsored by: Microsoft
    >  >  >>> Defy all challenges. Microsoft(R) Visual Studio 2008.
    >  >  >>>
    >  >  >>>
    http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
    >  >  >>> Snort-users mailing list
    >  >  >>> Snort-users () lists sourceforge net
    <mailto:Snort-users () lists sourceforge net>
    >  >  >>> Go to this URL to change user options or unsubscribe:
    >  >  >>> https://lists.sourceforge.net/lists/listinfo/snort-users
    >  >  >>> Snort-users list archive:
    >  >  >>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
    >  >  >>>
    >  >  >>>
    >  >  >>>
    >  >  >>> --
    >  >  >>> Joel Esler  joel.esler () sourcefire com
    <mailto:joel.esler () sourcefire com>
    >  >  >>>
    >  >  >>>
    >  >  >>>
    >  >  >>>
    >  >  >>>
    >  >  >>
    >  >  >>
    >  >  >>
    >  >  >>
    ------------------------------------------------------------------------
    >  >  >>
    >  >  >>
    -------------------------------------------------------------------------
    >  >  >> This SF.net email is sponsored by: Microsoft
    >  >  >> Defy all challenges. Microsoft(R) Visual Studio 2008.
    >  >  >> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
    >  >  >>
    >  >  >>
    >  >  >>
    ------------------------------------------------------------------------
    >  >  >>
    >  >  >> _______________________________________________
    >  >  >> Snort-users mailing list
    >  >  >> Snort-users () lists sourceforge net
    <mailto:Snort-users () lists sourceforge net>
    >  >  >> Go to this URL to change user options or unsubscribe:
    >  >  >> https://lists.sourceforge.net/lists/listinfo/snort-users
    >  >  >> Snort-users list archive:
    >  >  >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
    >  >  >
    >  >  >
    -------------------------------------------------------------------------
    >  >  > This SF.net email is sponsored by: Microsoft
    >  >  > Defy all challenges. Microsoft(R) Visual Studio 2008.
    >  >  > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
    >  >  > _______________________________________________
    >  >  > Snort-users mailing list
    >  >  > Snort-users () lists sourceforge net
    <mailto:Snort-users () lists sourceforge net>
    >  >  > Go to this URL to change user options or unsubscribe:
    >  >  > https://lists.sourceforge.net/lists/listinfo/snort-users
    >  >  > Snort-users list archive:
    >  >  > http://www.geocrawler.com/redir-sf.php3?list=snort-users
    >  >
    >  >  - --
    >  >  Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
    >  >  Sourcefire - Security for the Real World -
    http://www.sourcefire.com <http://www.sourcefire.com/>
    >  >  Snort: Open Source IDP - http://www.snort.org
    <http://www.snort.org/>
    >  >
    >  >
    >  >  -----BEGIN PGP SIGNATURE-----
    >  >  Version: GnuPG v1.4.7 (Darwin)
    >  >
    >  >  iD8DBQFH2degqj0FAQQ3KOARAoGaAJ0Qunysz07riv/NwgSEyvkXuaKmvwCfRmjD
    >  >  9vfsXaAbtb93a6aPRD4QPso=
    >  >  =dxrz
    >  >  -----END PGP SIGNATURE-----
    >  >
    >  >
    >  >
    >  >
     -------------------------------------------------------------------------
    >  >  This SF.net email is sponsored by: Microsoft
    >  >  Defy all challenges. Microsoft(R) Visual Studio 2008.
    >  >  http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
    >  >  _______________________________________________
    >  >  Snort-users mailing list
    >  >  Snort-users () lists sourceforge net
    <mailto:Snort-users () lists sourceforge net>
    >  >  Go to this URL to change user options or unsubscribe:
    >  >  https://lists.sourceforge.net/lists/listinfo/snort-users
    >  >  Snort-users list archive:
    >  >  http://www.geocrawler.com/redir-sf.php3?list=snort-users
    >
     -------------------------------------------------------------------------
    >  This SF.net email is sponsored by: Microsoft
    >  Defy all challenges. Microsoft(R) Visual Studio 2008.
    >  http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
    >  _______________________________________________
    >  Snort-users mailing list
    >  Snort-users () lists sourceforge net
    <mailto:Snort-users () lists sourceforge net>
    >  Go to this URL to change user options or unsubscribe:
    >  https://lists.sourceforge.net/lists/listinfo/snort-users
    >  Snort-users list archive:
    >  http://www.geocrawler.com/redir-sf.php3?list=snort-users
    -------------------------------------------------------------------------
    This SF.net email is sponsored by: Microsoft
    Defy all challenges. Microsoft(R) Visual Studio 2008.
    http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
    _______________________________________________
    Snort-users mailing list
    Snort-users () lists sourceforge net
    <mailto:Snort-users () lists sourceforge net>
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users
    <https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>
    list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users




-- 
Regards
Kamran Shafi
+61 41 824 9510
------------------------------------------------------------------------

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Logging Reassembled Packets Kamran Shafi (Mar 12)
- Re: Logging Reassembled Packets Joel Esler (Mar 13)
  - Re: Logging Reassembled Packets Kamran Shafi (Mar 13)
    - Re: Logging Reassembled Packets Jason (Mar 13)
    - Re: Logging Reassembled Packets Martin Roesch (Mar 13)
    - Re: Logging Reassembled Packets Jeremy (Mar 13)
    - Re: Logging Reassembled Packets Will Metcalf (Mar 13)
    - Re: Logging Reassembled Packets Kamran Shafi (Mar 14)
    - Re: Logging Reassembled Packets Patrik Nordlén (Mar 14)
    - Re: Logging Reassembled Packets Martin Roesch (Mar 14)
    - Re: Logging Reassembled Packets John Curry (Mar 14)
    - Re: Logging Reassembled Packets Martin Roesch (Mar 14)