Snort mailing list archives
Log everything in NIDS mode (yet not all packets are getting logged)
From: Bryan Leavitt <dansagsun () gmail com>
Date: Tue, 17 May 2005 14:24:02 -0400
My goal is to both a) log all tcp packets in binary and b) also run in realtime NIDS mode (any alerts being sent to both unified.log and unified.alert files). To accomplish this, I've defined a custom rule type and changed the rule order around so that it gets called first. snort.conf stuff: # create custom logging rule-type ruletype logall { type log output log_tcpdump: snort.tcpdump.log } # log rule logall tcp any any <> any any # change order that rules are evaluated config order: logall activation dynamic alert pass log Yet it still appears some packets aren't getting logged. Snort received 1501 packets Analyzed: 1501(100.000%) Dropped: 0(0.000%) =============================================================================== Breakdown by protocol: TCP: 1212 (80.746%) UDP: 96 (6.396%) ICMP: 1 (0.067%) ARP: 71 (4.730%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 121 (8.061%) DISCARD: 0 (0.000%) =============================================================================== Action Stats: ALERTS: 1 LOGGED: 1109 PASSED: 0 Shouldn't I be seing LOGGED == 1212 ?? What packets are NOT being logged? As a sanity check, I can run snort in packet logging mode and the "analyzed" and "logged" counts are nearly identical (well, off by a few packets...I assume that's because a few packets may get analyzed yet not logged before it receives my Ctrl-C signal). I started disabling other preprocessors, especially the stream preprocessors, as well as the -z option, and that seemed to help. My theory is that some preprocessors may silently pass packets? But if I've changed the rule order to logall first, shouldn't this stuff get logged before any dection routines are called? Any suggestions? -Bryan ------------------------------------------------------- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_idt12&alloc_id344&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Log everything in NIDS mode (yet not all packets are getting logged) Bryan Leavitt (May 17)