|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: [snort] Spurious ALERT msgs in syslog
From: Martin Roesch (roesch
hiverworld.com)Date: Tue Mar 07 2000 - 12:49:19 CST
- Next message: Martin Roesch: "Re: [snort] Re: [anno] php snort statistics web page script"
- Previous message: Martin Roesch: "Re: [snort] Rapidnet sig error?"
- In reply to: Erich Meier: "Re: [snort] Spurious ALERT msgs in syslog"
- Reply: Martin Roesch: "Re: [snort] Spurious ALERT msgs in syslog"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Erich Meier wrote:
>
> Okay, session dumps now work when the tcpdump output plugin is not enabled.
> But when it is enabled, sessions are not dumped.
>
> I think, that something like
>
> if(otn_tmp != NULL && otn_tmp->session_flag)
> {
> OpenSessionFile(p);
> DumpSessionData(session, p);
> fclose(session);
> }
>
> together with the appropriate otn_tmp and session definitions in LogTcpdump()
> would do the trick.
>
> Looking a bit closer at the code makes me think, that this session dumping
> stuff works only for one session at a time.
>
> Right?
Grr....
Ok, the session keyword is going to migrate to a plugin tonight so that
it's an independent entity from the rest of the logging system. The
real question becomes whether this should be an output plugin or a
detection plugin. Probably a detection plugin since it's only called on
certain rules.
-- Martin Roesch <roesch
- Next message: Martin Roesch: "Re: [snort] Re: [anno] php snort statistics web page script"
- Previous message: Martin Roesch: "Re: [snort] Rapidnet sig error?"
- In reply to: Erich Meier: "Re: [snort] Spurious ALERT msgs in syslog"
- Reply: Martin Roesch: "Re: [snort] Spurious ALERT msgs in syslog"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]