Snort mailing list archives
Re: full tcpdump logging with alerting
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 13 Aug 2001 09:44:00 -0400
Chris Green wrote:
Ryan.Oliver () pha com au writes:Greetings all, I was wondering if it was possible to run snort logging ALL traffic to a tcpdump file ( not just alerts ), while logging alerts etc to a database/syslog in real time.I think include "blah.rules" ... With the last rule of # traffic logging rule log ip any any -> any any (msg: "traffic")
You don't need the options field, just the rule header.
There might be a better way to do this. Note that this will require a fairly recent snort though there's the smell of a very stable snort coming out sometime soon :> you could do about the same in older versions with log udp / log tcp / log icmp Note that your files may grow very large very quickly and you could run into OS issues but I'm sure you've thought about this.
Logging everything is usually only an option on small networks or for
people with large disks. :)
-Marty
--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- full tcpdump logging with alerting Ryan . Oliver (Aug 13)
- Re: full tcpdump logging with alerting Chris Green (Aug 13)
- Re: full tcpdump logging with alerting Martin Roesch (Aug 13)
- Re: full tcpdump logging with alerting Martin Roesch (Aug 13)
- <Possible follow-ups>
- Re: full tcpdump logging with alerting Ryan . Oliver (Aug 14)
- Re: full tcpdump logging with alerting Chris Green (Aug 13)