Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Snort-users] full tcpdump logging with alerting

9 views
Skip to first unread message

Ryan....@pha.com.au

unread,
Aug 13, 2001, 5:08:53 AM8/13/01
to
This is a multipart message in MIME format.
--=_alternative 002C69A5CA256AA7_=
Content-Type: text/plain; charset="us-ascii"

Greetings all,

I was wondering if it was possible to run snort logging ALL traffic to a
tcpdump file ( not just alerts ), while logging alerts etc to a
database/syslog in real time.

I have my snort.conf file setup for output plugins as such

output alert_syslog: LOG_AUTH LOG_ALERT
output log_tcpdump: snort.log
output database: log, mysql, user=snort password=xxxxxxxxx dbname=snort
host=xxxxxxxx

The reasoning behind wanting to keep full tcpdump logfiles is to be able
to replay whole sessions when anything unusual happens.

I am trying to avoid running both snort and tcpdump together at once.....
Any ideas appreciated

Best regards
Ryan Oliver

--=_alternative 002C69A5CA256AA7_=
Content-Type: text/html; charset="us-ascii"


<br><font size=2><tt>Greetings all,</tt></font>
<br>
<br><font size=2><tt>I was wondering if it was possible to run snort logging ALL traffic to a tcpdump file ( not just alerts ), while logging alerts etc to a database/syslog in real time.</tt></font>
<br>
<br><font size=2><tt>I have my snort.conf file setup for output plugins as such</tt></font>
<br>
<br><font size=2><tt>output alert_syslog: LOG_AUTH LOG_ALERT</tt></font>
<br><font size=2><tt>output log_tcpdump: snort.log</tt></font>
<br><font size=2><tt>output database: log, mysql, user=snort password=xxxxxxxxx dbname=snort host=xxxxxxxx</tt></font>
<br>
<br><font size=2><tt>The reasoning behind wanting to keep full tcpdump logfiles is to be able to replay whole sessions when anything unusual happens.</tt></font>
<br>
<br><font size=2><tt>I am trying to avoid running both snort and tcpdump together at once.....</tt></font>
<br><font size=2><tt>Any ideas appreciated</tt></font>
<br>
<br><font size=2><tt>Best regards</tt></font>
<br><font size=2><tt>Ryan Oliver</tt></font>
<br>
--=_alternative 002C69A5CA256AA7_=--

_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Chris Green

unread,
Aug 13, 2001, 10:06:51 AM8/13/01
to
Ryan....@pha.com.au writes:

> Greetings all,
>
> I was wondering if it was possible to run snort logging ALL traffic to a
> tcpdump file ( not just alerts ), while logging alerts etc to a
> database/syslog in real time.

I think

include "blah.rules"
...

With the last rule of

# traffic logging rule
log ip any any -> any any (msg: "traffic")

There might be a better way to do this. Note that this will require a
fairly recent snort though there's the smell of a very stable snort
coming out sometime soon :>

you could do about the same in older versions with log udp / log tcp /
log icmp

Note that your files may grow very large very quickly and you could
run into OS issues but I'm sure you've thought about this.
--
Chris Green <c...@uab.edu>
Laugh and the world laughs with you, snore and you sleep alone.

Martin Roesch

unread,
Aug 13, 2001, 10:21:35 AM8/13/01
to
Sure, add this rule:

log ip any any -> any any

-Marty

Ryan....@pha.com.au wrote:
>
> Greetings all,
>
> I was wondering if it was possible to run snort logging ALL traffic to
> a tcpdump file ( not just alerts ), while logging alerts etc to a
> database/syslog in real time.
>

> I have my snort.conf file setup for output plugins as such
>
> output alert_syslog: LOG_AUTH LOG_ALERT
> output log_tcpdump: snort.log
> output database: log, mysql, user=snort password=xxxxxxxxx
> dbname=snort host=xxxxxxxx
>
> The reasoning behind wanting to keep full tcpdump logfiles is to be
> able to replay whole sessions when anything unusual happens.
>
> I am trying to avoid running both snort and tcpdump together at
> once.....
> Any ideas appreciated
>
> Best regards
> Ryan Oliver

--
Martin Roesch
roe...@sourcefire.com
http://www.sourcefire.com - http://www.snort.org

Martin Roesch

unread,
Aug 13, 2001, 10:38:54 AM8/13/01
to
Chris Green wrote:

>
> Ryan....@pha.com.au writes:
>
> > Greetings all,
> >
> > I was wondering if it was possible to run snort logging ALL traffic to a
> > tcpdump file ( not just alerts ), while logging alerts etc to a
> > database/syslog in real time.
>
> I think
>
> include "blah.rules"
> ...
>
> With the last rule of
>
> # traffic logging rule
> log ip any any -> any any (msg: "traffic")

You don't need the options field, just the rule header.

> There might be a better way to do this. Note that this will require a
> fairly recent snort though there's the smell of a very stable snort
> coming out sometime soon :>
>
> you could do about the same in older versions with log udp / log tcp /
> log icmp
>
> Note that your files may grow very large very quickly and you could
> run into OS issues but I'm sure you've thought about this.

Logging everything is usually only an option on small networks or for
people with large disks. :)

-Marty

Ryan....@pha.com.au

unread,
Aug 14, 2001, 4:27:29 AM8/14/01
to
This is a multipart message in MIME format.
--=_alternative 00297724CA256AA8_=
Content-Type: text/plain; charset="us-ascii"

Greetings all,

Thanks all, it works a treat except for one thing.

When running snort in daemon mode I have it logging to mysql/syslog and
the tcpdump formatted file.
Unfortunately when I stop snort to rotate out the tcpdump logfile (done
hourly) I cannot read the contents, getting "pcap_loop: truncated dump
file".

This doesn't occur if I run snort outside of daemon mode (which isn't an
option)...
I've tried kill with signals 1,2,3,9 but still with the same results...

Is there any way to get snort to complete the logfile and bow out
gracefully from daemon mode or is there something I am missing here??

Any help appreciated

Best Regards
Ryan Oliver
--=_alternative 00297724CA256AA8_=
Content-Type: text/html; charset="us-ascii"


<br><font size=2><tt>Greetings all,</tt></font>
<br>

<br><font size=2><tt>Thanks all, it works a treat except for one thing.</tt></font>
<br>
<br><font size=2><tt>When running snort in daemon mode I have it logging to mysql/syslog and the tcpdump formatted file.</tt></font>
<br><font size=2><tt>Unfortunately when I stop snort to rotate out the tcpdump logfile (done hourly) I cannot read the contents, getting &quot;pcap_loop: truncated dump file&quot;. </tt></font>
<br>
<br><font size=2><tt>This doesn't occur if I run snort outside of daemon mode (which isn't an option)...</tt></font>
<br><font size=2><tt>I've tried kill with signals 1,2,3,9 but still with the same results...</tt></font>
<br>
<br><font size=2><tt>Is there any way to get snort to complete the logfile and bow out gracefully from daemon mode or is there something I am missing here??</tt></font>
<br>
<br><font size=2><tt>Any help appreciated</tt></font>
<br>
<br><font size=2><tt>Best Regards</tt></font>


<br><font size=2><tt>Ryan Oliver</tt></font>

--=_alternative 00297724CA256AA8_=--

0 new messages