Snort mailing list archives

Previous By Date Next
Previous By Thread Next

"Saving State" in Snort

From: "Michael L. Artz" <dragon () october29 net>
Date: Sun, 30 Mar 2003 23:14:21 -0500
I am fairly new to Snort, so feel free to abuse away ...
Anyway, when running snort offline on a tcpdump audit trail, is there a way to tell snort to "save state" (perhaps to a file) so that when I run Snort on two different files, it remembers what was in the first (for session reconstuction, fragmentation reassembly, etc) when I run the second through?
My problem is thus: I have a ton of nicely gzipped tcpdump audit logs that I periodically save off to DVD. I would like to run them through Snort with all of the signatures turned on to see if I can see anything that was missed by the live, tuned, production Snort. Sort of an in-house network forensics. I don't, however, want to have to ungzip them all, merge them together with something like mergecap, and then run the gigantic file through Snort, especially since the files span multiple DVDs. I also don't want to miss anything that might have occurred that spans multiple files.
Without a way for Snort to "save state" between files, I have come to two possibilites: a) replay all of the traffic on a private net using something like tcpreplay, or b) merge two files, run them through, and then merge the last file of the previos round and run it through marged with the next file, i.e. file1 and file2, then file2 and file3, then file3 and file4. The latter solution still has problems with breaks (hopefully less) and has the added complexity of weeding out duplicate alerts before they reach the database. I would rather not have to do the former, as management doesn't seem to like me replaying traffic onto company computers.
Is there an intelligent way to do this? I think that having Snort (optionally) dump its current state and then be able to read it in and start where it left off would be pretty cool, and solve my situation nicely. 

Any help would be appreciated.

Thanks
-Mike



-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server 
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: