Re: simultaneous snort and tcpdump

[Bennett Todd <bet () rahul net>]

2002-09-26-16:47:40 Carl Gibbons:
> Okay, here's an example of what I'd like:  for every snort alert,
> don't just save (into mmdd () hhmm-snort log) the packet that caused
> the alert, but also save the ten preceeding and ten succeeding
> packets between the same hosts.

Sounds spiffy. Sounds like something that would require a fair
amount of additional code; I'm not sure how would be easiest to
craft that code.

> This is why I am running tcpdump and snort simultaneously.

If you've got the resources to take that approach, it's probably the
simplest approximation to implement.

> My question remains.  Sorry, Jason, but your "RTFM" suggestion to
> craft a clever snort rule doesn't help.

Perhaps I misunderstood Jason, but I _think_ his suggestion is very
relevant.

I took him to mean that it might be more efficient to use one snort
to do the job you're currently doing with snort + tcpdump. Rather
than running both snort and tcpdump, run just snort, and configure
the snort to log everything, by creating a rule that logs
everything. I think the canonical example might be

        log any any any <> any any

although I'm not sure, as I haven't actually tried this.

If you don't need the alerts in real-time, another approach might be
to just use either snort or tcpdump as a pure packet capture to save
everything in a libpcap format file, then as you rotate logs, rotate
them clean off your capture sniffer to a log archival system, and
there run snort over them with -r.

-Bennett

Attachment: _bin
Description: