Snort mailing list archives
Re: tcpdump script
From: Will Metcalf <william.metcalf () gmail com>
Date: Wed, 8 Apr 2009 12:55:31 -0500
Here is my crappy little perl script to accomplish this, that uses another crappy little perl script... ;-)... http://node5.blogspot.com/2009/04/small-update-to-pcapparser.html Regards, Will On Wed, Apr 8, 2009 at 12:22 PM, Nathaniel Richmond < nate+snort () richmond-family org <nate%2Bsnort () richmond-family org>> wrote:
Nigel Houghton wrote:Quoting Leon to make it clear what he actually stated: "The method I use is to keep a limited cache of network traffic via tcpdump's ringbuffer mode, a few 100MB of pcap data. When Snort raises an alert, a process automatically kicks off that extracts the session that caused the alert from the ringbuffer and stores it for prosperity." In short, Leon is not using Snort to grab the packets. He is getting full session data for the event and IMNSHO he's doing it elegantly. p.s. *Everyone* should have upgraded to Snort 2.8.4 already, if not, do it now.Nigel, I understand. I was trying to point out that there can be value in capturing more sessions than just the one that triggered the alert. The Snort 2.8.4 upgrade process was relatively painless. ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: tcpdump script, (continued)
- Re: tcpdump script Nathaniel Richmond (Apr 07)
- Re: tcpdump script Leon Ward (Apr 08)
- Re: tcpdump script Jack Pepper (Apr 08)
- Re: tcpdump script Leon Ward (Apr 08)
- Re: tcpdump script Jason Brvenik (Apr 08)
- Re: tcpdump script Leon Ward (Apr 09)
- Re: tcpdump script John Hally (Apr 08)
- Re: tcpdump script Leon Ward (Apr 08)
- Re: tcpdump script Nathaniel Richmond (Apr 07)
- Re: tcpdump script Nathaniel Richmond (Apr 08)
- Re: tcpdump script Nigel Houghton (Apr 08)
- Message not available
- Re: tcpdump script Nathaniel Richmond (Apr 08)
- Re: tcpdump script Will Metcalf (Apr 08)