Re: Preprocessor logging (was: Log vs. Alert --end the confusion!)

[Chris Green <cmg () sourcefire com>]

"Williams Jon" <WilliamsJon () JohnDeere com> writes:

> If the stream gets flushed on an alert in the preprocessor, will it get
> written out as individual packets, each with their original header, or will
> they all get "reconstituted" into a stream pseudopacket?

Both.

> When trying to track down some of these issues, having the original
> packet headers is the only way to find out what's going on.
>
> <blue-sky wishlist>
> As kind of a side note, has anyone looked into a rolling buffer of sorts to
> allow a certain amount of history?  I mean, snort's tag: thingie is great
> for recording what happend _after_ an alert, but a lot of the time, its what
> happened _before_ that is really useful for determining what's going on.
> Similar to the issues I've run into with the preprocessor alerts is that
> looking at the actual packet that triggered the alert only gets you so far.

There's been talk of it.  Long term it will probably happen. Short
term, if its a must have, you can contract to have that type of thing
right now :^).

Seriously though, its a pretty major undertaking that would be very
fun to do but has to be approached carefully.
-- 
Chris Green <cmg () sourcefire com>
Don't use a big word where a diminutive one will suffice.


-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users