Re: NIDS + packet logging - only alert packets get logged

["Al Lewis (allewi)" <allewi () cisco com>]

See the next page:

"To enable Network Intrusion Detection System (NIDS) mode so that you don't record every single packet sent down the 
wire, try this:     ./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf"

http://manual.snort.org/node6.html




Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi () cisco com 


-----Original Message-----
From: Al Lewis (allewi) 
Sent: Wednesday, March 09, 2016 10:32 AM
To: 'Rich Lee'
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] NIDS + packet logging - only alert packets get logged

If you are running in IDS mode (WITH a conf file)  then ONLY the alert traffic is captured.

If you run WITHOUT a conf file then ALL traffic is captured.

I think you are trying to mix packet logger with NIDS mode.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi () cisco com 

-----Original Message-----
From: Rich Lee [mailto:laughingblade () gmail com] 
Sent: Wednesday, March 09, 2016 9:47 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] NIDS + packet logging - only alert packets get logged

Hi,

newbie kind of Q I'm afraid:

I'm running snort 2.9.8.0 & Barnyard2 in an Ubuntu 14.04 VM, set up according to Noah Dietrich's guide.

I want to run snort as NIDS to alert, but also capture *all* packets. 
According to http://manual.snort.org/node5.html I should be good with './snort -l ./log -b'

The command I'm running is './snort -c /pathto/snort.conf -i eth0 -l /pathto/log -b', and I'm seeing timestamped log 
files as expected, but only for alerts, not for other traffic...

My understanding from the docs is that the command line log switch should log *all* packets, and output modules 
configured in snort.conf will log processed/detected alert packets. I've tried this with output module configured, and 
with no output modules at all - but snort continues to log only alerting packets. I've confirmed that there actually is 
other traffic to be captured by running wireshark alongside.

Does the -l -b switch work? Am I possibly missing something obvious?

TIA
Rich Lee

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!