RE: NIDS Packet Capture Problem

["Gordon Cunningham" <gacunningham () bellsouth net>]

Sure, set up a lab test LAN with controlled devices and insure there is no
connectivity to a dirty network.  Perform a series of network actions and
capture that traffic with tcpdump. No need to use snort at all.  In fact,
some normal web page requests can trigger snort’s portscan rules, so it
would be better to not use snort and insure your environment is clean to
begin with.

- Gordon

"When I finally found a spam filter that worked, I no longer received ANY
email."

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Shishir Tejpal
Sent: Wednesday, October 15, 2003 1:58 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] NIDS Packet Capture Problem

Hi all,
          I am working on a graduate project for which I require clean log
files which contain only valid network data w/o port scans and even remove
attacks if they are present. This log file will be used as a training set
for anomaly detection. The problem that I am having is that I am running two
snort programs  one as a NIDS and the other as a Sniffer both log the
packets in TCPDUMP format. Now in order to get a clean log file (contain
only clean n/w traffic) I only write packets from the sniffer which are not
in the present in the NIDS log file. This is a very unelegant way since I
have a lot of log files from the summer containing packtes captured by a
sniffer which in all probability are infected with lots of scan attempts.
Does anybody know of a way that I can only log packets which do not pass any
rule (i.e they could be considered normal) This would save a lot of
computing time and could easily be automated. I am running snort on a win
box.

Thanking you in advance

Shishir Tejpal