Snort mailing list archives

RE: Cisco IDS

From: "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>
Date: Thu, 20 Jan 2005 08:54:05 +0000

--On 19 January 2005 14:28 -0500 Joe Patterson <jpatterson () asgardgroup com>wrote:

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Alex
Butcher, ISC/ISYS
Sent: Wednesday, January 19, 2005 10:49 AM
To: John Hally; 'snort-users () lists sourceforge net'
Subject: RE: [Snort-users] Cisco IDS

...

> The cool thing about Sguil is the ability to pull up a pcap file for
> the particular event reported.

The same can be done quite easily with ACID, if you're using a spool
processor which respects tagged packets. FLoP, for instance, does this. I
then wrote a small amount of PHP around the included 'getpacket'
utility to
retrieve all tagged packets that were related to the triggering packet.


The one flaw with this is that snort can't (and shouldn't!) retroactively
tag packets.  So you can only see the things that happen *after* a
signature fires.  If you want to see what happened leading up to a
signature fire, then you need something like what sguil does.


Quite correct.

However, it shouldn't be hard to arrange for, say, tethereal to becapturing to a pair of ring buffers that it rotates between every 15minutes or so. When a particular alert is generated, use flexresp (or someother mechanism) to send a signal to tethereal's controlling process whichkills tethereal, renames the current ring buffers so that they arepreserved, then restarts tethereal. This would give (in this case) at least15 minutes of history without having to maintain pcap data 24/7/52.


I leave implementation as a simple matter of execution for the reader. :-)

-Joe


Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Cisco IDS, (continued)
- - - Re: Cisco IDS Dave Breiland (Jan 27)
    - RE: Cisco IDS Theodore Stout (Jan 18)
- Re: Cisco IDS Alex Butcher, ISC/ISYS (Jan 17)
- RE: Cisco IDS John Hally (Jan 19)
  - RE: Cisco IDS Alex Butcher, ISC/ISYS (Jan 19)
  - Re: Cisco IDS Bamm Visscher (Jan 19)
    - Re: Cisco IDS Jason Haar (Jan 20)
- RE: Cisco IDS John Hally (Jan 19)
  - RE: Cisco IDS Alex Butcher, ISC/ISYS (Jan 19)
    - RE: Cisco IDS Joe Patterson (Jan 19)
    - RE: Cisco IDS Alex Butcher, ISC/ISYS (Jan 20)
- RE: Cisco IDS John Hally (Jan 19)