Snort mailing list archives
Re: Snort, unified/database output plugins, session capture
From: "Andrew R. Baker" <andrewb () snort org>
Date: Thu, 25 Mar 2004 10:05:24 -0500
AJ Butcher, Information Systems and Computing wrote:
What is the preferred mechanism for logging sessions in this manner?Do *any* of them even work when using unified or database logging? The Snort 2.1.x manual indicates that 'tag' doesn't work with database logging, and 'logto' doesn't work in binary mode. It says nothing about 'session'.
The unified output plugins definitely support the tag option. When tagging is enabled, all of the tagged packets will be written to the unified log file. Additionally, with recent versions of Snort, if an alert is triggered on a reassembled stream, then all of the packets for the stream will also be written to the unified log file. While I cannot speak for mudpit, Barnyard will process the tagged packets. However, how the are processed is up to the discretion of each output plug-in. I do know that the ACID database output plugin in Barnyard does not treat tagged packets properly. IIRC, each tagged packet will become a new event entry in the database instead of having all the packets associated with a single event. This is a limitation of the database design since it significantly predates tagged packet support.
-A ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort, unified/database output plugins, session capture AJ Butcher, Information Systems and Computing (Mar 25)
- Re: Snort, unified/database output plugins, session capture Andrew R. Baker (Mar 25)
- Re: Snort, unified/database output plugins, session capture AJ Butcher, Information Systems and Computing (Mar 25)
- Re: Snort, unified/database output plugins, session capture Andrew R. Baker (Mar 25)