|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Snort-users] Double logging in alert_fast - Problem solved
From: Zultan (zultan
mad.scientist.com)
Date: Sun Sep 18 2005 - 20:03:59 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Please disregard the below.
Removing the tag:session option from the log line stopped the double logging.
My apologies to the list...
----- Original Message -----
From: Zultan <zultanmad.scientist.com>
To: snort-userslists.sourceforge.net
Subject: [Snort-users] Double logging in alert_fast
Date: Fri, 16 Sep 2005 04:22:03 +0000
>
> I know ASCII logging bad, and that binary logging would be much better for
> this, but still, I need to do it. Also according to the archives, this was
> an issue before 1.8.1.
>
> While trying to grab entire TCP sessions with a hostile IP, it logs each
> packet twice after the 3way handshake. Running 2.4 and testing from the
> command line with:
>
> snort -d -i eth0 -l ./log -m 027 -y -c ./host-svr.rules
>
> ----------------
> host-svr.rules is:
> ----------------
>
> var HOME_NET [x.x.x.x/32]
> var EXTERNAL_NET any
> include ./class.config
> output alert_fast: alert
>
> var HOSTILE_SVRS [IPaddress/32]
>
> alert tcp $HOME_NET any -> $HOSTILE_SVRS any (msg:"SYN to HOSTILE
> server";flags:S;)
> alert tcp $HOSTILE_SVRS any -> $HOME_NET any (msg:"SYN/ACK from HOSTILE
> server"; flags:SA;)
> log tcp $HOSTILE_SVRS any <> $HOME_NET any (flow:established;
> tag:session,5000,packets;)
>
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm
-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]