Snort mailing list archives

Preprocessor logging (was: Log vs. Alert --end the confusion!)

From: "Williams Jon" <WilliamsJon () JohnDeere com>
Date: Tue, 13 Aug 2002 13:23:31 -0500

If the stream gets flushed on an alert in the preprocessor, will it get
written out as individual packets, each with their original header, or will
they all get "reconstituted" into a stream pseudopacket?  When trying to
track down some of these issues, having the original packet headers is the
only way to find out what's going on.

<blue-sky wishlist>
As kind of a side note, has anyone looked into a rolling buffer of sorts to
allow a certain amount of history?  I mean, snort's tag: thingie is great
for recording what happend _after_ an alert, but a lot of the time, its what
happened _before_ that is really useful for determining what's going on.
Similar to the issues I've run into with the preprocessor alerts is that
looking at the actual packet that triggered the alert only gets you so far.

It would be very useful to be able to have an IDS that would buffer packets
for a short period of time for a given src/dest pair and if, during that
conversation/time period, any of the packets triggered an alert, write
everything to the log rather than just that one packet.  If nothing alerts
in that conversation or if the timeout is exceeded, the buffer gets flushed.
</blue-sky wishlist>

Jon

-----Original Message-----
From: Chris Green [mailto:cmg () sourcefire com]

I could add a flush the stream to the logging subsystem call but
that's not guaranteed to show the initial packet that set the ttl.  in
1.9, the ttl_evasion stuff will only go off if the current packet is a
low number.

This goes for all the alerts that come out of this preprocessor, and
not just the TTL one.


When we switch to a better logging subsystem, a lot more information
about "WHAT" happened will be great.




-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Preprocessor logging (was: Log vs. Alert --end the confusion!) Williams Jon (Aug 13)
- Re: Preprocessor logging (was: Log vs. Alert --end the confusion!) Chris Green (Aug 13)
- difference between the capability of snort and a dynamic firewall!??!?!!? funky (Aug 14)
  - Re: difference between the capability of snort and a dynamic firewall!??!?!!? Matt Kettler (Aug 14)