Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Logging Reassembled Packets

from [Martin Roesch] Network Security [Permanent Link]
Subject: Re: [Snort-users] Logging Reassembled Packets
Date: Fri, 14 Mar 2008 10:02:06 -0400 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I haven't looked at tcpdump's code in a long time but I think  
Daemonlogger and tcpdump's performance will be very similar.  I  
haven't taken any pains to accelerate anything in Daemonlogger, it's  
simply an interface between libpcap, libdnet and the disk.  IIRC,  
tcpdump when in "-w" mode wrote pretty directly to the disk with  
almost no code overhead if it wasn't being asked to do anything else.   
The chief advantage of Daemonlogger is that it's only about 900 lines  
of code and it probably has more logfile management features than  
tcpdump, although I haven't been keeping up with recent releases of  
that codebase.

        -Marty


On Mar 14, 2008, at 12:07 AM, Jeremy wrote:


Not trying to steal the thread here, but I have to ask since I have
never really stress tested damonlogger. Do you all think it performs
better than tcpdump at writing packets to disk?  This never crossed my
mine to evaluate before now, as I have only used damonlogger to play
traffic out another interface....  If yes, any document on this claim
out there?  Running to Google now to see if I can't find something on
this while I wait for responses ;)

--jeremy

On Thu, Mar 13, 2008 at 8:40 PM, Martin Roesch  
<roesch@sourcefire.com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Correction.  You should use Daemonlogger!

:)

       -Marty



On Mar 13, 2008, at 8:20 PM, Jason wrote:


snort is not intended to log full reassembled streams, it is
intended to
detect intrusion attempts and log the relevant data associated with
those attempts. If you want full session logging you should use
tcpdump.

Kamran Shafi wrote:

I notice that there is a show_rebuilt_packets option in  
steam5_global
configuration, which I have turned on but don't know if it is
producing
anything. I run snort on some traffic collected on a web/dns/mysql
server
using -r flag. The log shows that snort filters out the server's
response
and keeps only the inbound traffic - I am not sure if this
behaviour is
because of the stream 5 processor or else?

On Fri, Mar 14, 2008 at 12:56 AM, Joel Esler <joel.esler@sourcefire.com



wrote:


Again, a visit to the readme's in the doc/ directory should help
you.
Look up "log_flushed_streams" in the stream4 readme.
Joel

 On Mar 13, 2008, at 2:36 AM, Kamran Shafi wrote:

Hi All,

Is there a way to log the reassembled (TCP/UDP/ICMP) sessions in
Snort?

--
Regards
Kam
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.

http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
Joel Esler ï joel.esler@sourcefire.com









------------------------------------------------------------------------

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/


------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFH2degqj0FAQQ3KOARAoGaAJ0Qunysz07riv/NwgSEyvkXuaKmvwCfRmjD
9vfsXaAbtb93a6aPRD4QPso=
=dxrz
-----END PGP SIGNATURE-----



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFH2oVeqj0FAQQ3KOARAqIFAJ4ut4S/IUJAnMA6BNkAyDtrLB/hSACeLs+3
Dfumb249lxumVuVDMEJrkMw=
=D0iq
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Logging Reassembled Packets, John Curry
Next by Date:  Re: [Snort-users] DOS attacks, Todd Wease
Previous by Thread:  Re: [Snort-users] Logging Reassembled Packets, John Curry
Next by Thread:  [Snort-users] DOS attacks, Kamran Shafi
Indexes:  [Date] [Thread] [Top] [All Lists]