Snort mailing list archives

Re: tcpdump script

From: Will Metcalf <william.metcalf () gmail com>
Date: Wed, 8 Apr 2009 12:55:31 -0500

Here is my crappy little perl script to accomplish this, that uses another
crappy little perl script... ;-)...

http://node5.blogspot.com/2009/04/small-update-to-pcapparser.html

Regards,

Will

On Wed, Apr 8, 2009 at 12:22 PM, Nathaniel Richmond <
nate+snort () richmond-family org <nate%2Bsnort () richmond-family org>> wrote:

Nigel Houghton wrote:

Quoting Leon to make it clear what he actually stated:

"The method I use is to keep a limited cache of network traffic via
tcpdump's ringbuffer mode, a few 100MB of pcap data. When Snort
raises
an alert, a process automatically kicks off that extracts the
session
that caused the alert from the ringbuffer and stores it for
prosperity."

In short, Leon is not using Snort to grab the packets. He is getting
full session data for the event and IMNSHO he's doing it elegantly.

p.s. *Everyone* should have upgraded to Snort 2.8.4 already, if not,
do it now.


Nigel, I understand. I was trying to point out that there can be
value in capturing more sessions than just the one that triggered
the alert.

The Snort 2.8.4 upgrade process was relatively painless.


------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: tcpdump script, (continued)
- Re: tcpdump script Nathaniel Richmond (Apr 07)
  - Re: tcpdump script Leon Ward (Apr 08)
    - Re: tcpdump script Jack Pepper (Apr 08)
    - Re: tcpdump script Leon Ward (Apr 08)
    - Re: tcpdump script Jason Brvenik (Apr 08)
    - Re: tcpdump script Leon Ward (Apr 09)
    - Re: tcpdump script John Hally (Apr 08)
  - Message not available
    - Re: tcpdump script Nathaniel Richmond (Apr 08)
    - Re: tcpdump script Nigel Houghton (Apr 08)
    - Message not available
    - Re: tcpdump script Nathaniel Richmond (Apr 08)
    - Re: tcpdump script Will Metcalf (Apr 08)