Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort outputing like tcpdump

From: Erek Adams <erek () snort org>
Date: Fri, 17 Jan 2003 12:20:57 -0500 (EST)
On Fri, 17 Jan 2003, Christopher Lyon wrote:


Is there a way not log the payload?


Short answer:  No.

Longer answer:  I don't have my Stephens book handy right now, it's
somewhere buried in a moving box, so this info isn't as acurate as I would
like.  Different types of packets have different header sizes.  One may
have 40 bytes, one may have 60 bytes, etc.  As I said, Tcpdump grabs 68
bytes of the packet and works with that.  Snort grabs 1514 bytes.  If you
want to change how much Snort grabs, use the -P command line option.
snort -P 68 will have Snort reading exactly as Tcpdump would.

If you're attempting to use that for Intrusions, it's all but worthless.
If you're trying to do it for tracking your users, just use tcpdump,
urlsnarf, or something like that.  If you're trying to get it into a DB,
modify the db ouptut plugin not to send the payload once it's got the
headers decoded.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will
allow you to extend the highest allowed 128 bit encryption to all your 
clients even if they use browsers that are limited to 40 bit encryption. 
Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: