Snort mailing list archives
RE: NIDS Packet Capture Problem
From: "Gordon Cunningham" <gacunningham () bellsouth net>
Date: Wed, 15 Oct 2003 09:45:48 -0400
Sure, set up a lab test LAN with controlled devices and insure there is no connectivity to a dirty network. Perform a series of network actions and capture that traffic with tcpdump. No need to use snort at all. In fact, some normal web page requests can trigger snorts portscan rules, so it would be better to not use snort and insure your environment is clean to begin with. - Gordon "When I finally found a spam filter that worked, I no longer received ANY email." -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Shishir Tejpal Sent: Wednesday, October 15, 2003 1:58 AM To: snort-users () lists sourceforge net Subject: [Snort-users] NIDS Packet Capture Problem Hi all, I am working on a graduate project for which I require clean log files which contain only valid network data w/o port scans and even remove attacks if they are present. This log file will be used as a training set for anomaly detection. The problem that I am having is that I am running two snort programs one as a NIDS and the other as a Sniffer both log the packets in TCPDUMP format. Now in order to get a clean log file (contain only clean n/w traffic) I only write packets from the sniffer which are not in the present in the NIDS log file. This is a very unelegant way since I have a lot of log files from the summer containing packtes captured by a sniffer which in all probability are infected with lots of scan attempts. Does anybody know of a way that I can only log packets which do not pass any rule (i.e they could be considered normal) This would save a lot of computing time and could easily be automated. I am running snort on a win box. Thanking you in advance Shishir Tejpal
Current thread:
- NIDS Packet Capture Problem Shishir Tejpal (Oct 15)
- <Possible follow-ups>
- NIDS Packet Capture Problem Shishir Tejpal (Oct 15)
- RE: NIDS Packet Capture Problem Gordon Cunningham (Oct 15)