Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: log single packet vs reassmbled stream

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Tue, 05 Oct 2004 04:24:58 +1300
Alex Butcher, ISC/ISYS wrote:


I know about the tag keyword..... Is there any other way so that the
entire session can be logged, if alert is generated in any of its
packet....
sguil can integrate snort with tcpdump, apparently. I've thought about doing something similar using flexresp, tethereal (in ring-log-file mode) and a shell script or similar.
I think Thomas that you need to think through what you are asking. What if the traffic in question ends up being a 6Gb DVD download? No IDS system will log such amounts of data - it would cause a DoS attack against the IDS (i.e. it would run out of memory, CPU, DISK, take your pick). Also think about if you were using the SQL backend - can your database handle a 6Gb BLOB object? :-). With Snort, a logged event contains the section that triggered the alert plus "a bit" of extra data around it - but it doesn't capture the entire session.
If you are sure you need such capabilities, then as Alex says, there may be other options... 

Jason



-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: