Snort mailing list archives
RE: Cisco IDS
From: "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>
Date: Thu, 20 Jan 2005 08:54:05 +0000
--On 19 January 2005 14:28 -0500 Joe Patterson <jpatterson () asgardgroup com> wrote:
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Alex Butcher, ISC/ISYS Sent: Wednesday, January 19, 2005 10:49 AM To: John Hally; 'snort-users () lists sourceforge net' Subject: RE: [Snort-users] Cisco IDS...> The cool thing about Sguil is the ability to pull up a pcap file for > the particular event reported. The same can be done quite easily with ACID, if you're using a spool processor which respects tagged packets. FLoP, for instance, does this. I then wrote a small amount of PHP around the included 'getpacket' utility to retrieve all tagged packets that were related to the triggering packet.The one flaw with this is that snort can't (and shouldn't!) retroactively tag packets. So you can only see the things that happen *after* a signature fires. If you want to see what happened leading up to a signature fire, then you need something like what sguil does.
Quite correct.However, it shouldn't be hard to arrange for, say, tethereal to be capturing to a pair of ring buffers that it rotates between every 15 minutes or so. When a particular alert is generated, use flexresp (or some other mechanism) to send a signal to tethereal's controlling process which kills tethereal, renames the current ring buffers so that they are preserved, then restarts tethereal. This would give (in this case) at least 15 minutes of history without having to maintain pcap data 24/7/52.
I leave implementation as a simple matter of execution for the reader. :-)
-Joe
Best Regards, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Cisco IDS, (continued)
- Re: Cisco IDS Dave Breiland (Jan 27)
- RE: Cisco IDS Theodore Stout (Jan 18)
- Re: Cisco IDS Alex Butcher, ISC/ISYS (Jan 17)
- RE: Cisco IDS John Hally (Jan 19)
- RE: Cisco IDS Alex Butcher, ISC/ISYS (Jan 19)
- Re: Cisco IDS Bamm Visscher (Jan 19)
- Re: Cisco IDS Jason Haar (Jan 20)
- RE: Cisco IDS John Hally (Jan 19)
- RE: Cisco IDS Alex Butcher, ISC/ISYS (Jan 19)
- RE: Cisco IDS Joe Patterson (Jan 19)
- RE: Cisco IDS Alex Butcher, ISC/ISYS (Jan 20)
- RE: Cisco IDS Alex Butcher, ISC/ISYS (Jan 19)
- RE: Cisco IDS John Hally (Jan 19)