Snort mailing list archives

Re: Getting more context in snort alerts.

From: beenph <beenph () gmail com>
Date: Mon, 10 Jan 2011 13:37:24 -0500

There is a rule option called tag that can be added to a rule who
would not have it.

And there is the configuration option called  config tagged packet
limit: <max-tag>
that can help limit the number of underlying logged packet.

Then the issue comes with correlation of those packet with the
original triggering rule, but its trivial
if you can code it your self.


On Mon, Jan 10, 2011 at 1:11 PM, Richard Bejtlich <taosecurity () gmail com> wrote:

Hello,

Try Sguil.  Bamm wrote Sguil a decade ago to solve this problem.  :)

Sincerely,

Richard

On 1/10/11, sudhakar govindavajhala <sudhakarg79spam () gmail com> wrote:

Hi Snort folks,


When Snort identifies something as an attack, it currently only shows me the
single packet that triggered the alarm. It does not show me enough context
to make an informed decision.


Do you have any suggestions on how I could get more context?  Is this
something that Snort supports relatively out of the box or do I have to
write lots of code?   A silly option would be to use tcpdump to log all
packets and then search the logs.    Is there a better approach?


Thanks,
Sudhakar.


------------------------------------------------------------------------------
Gaining the trust of online customers is vital for the success of any company
that requires sensitive data to be transmitted over the Web.   Learn how to
best implement a security strategy that keeps consumers' information secure
and instills the confidence they need to proceed with transactions.
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Gaining the trust of online customers is vital for the success of any company
that requires sensitive data to be transmitted over the Web.   Learn how to 
best implement a security strategy that keeps consumers' information secure 
and instills the confidence they need to proceed with transactions.
http://p.sf.net/sfu/oracle-sfdevnl 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Getting more context in snort alerts. sudhakar govindavajhala (Jan 10)
- Re: Getting more context in snort alerts. Richard Bejtlich (Jan 10)
  - Re: Getting more context in snort alerts. beenph (Jan 10)
  - Re: Getting more context in snort alerts. Edward Fjellskål (Jan 10)
- searching for " in content Don Florence (Jan 10)
  - Re: searching for " in content Alex Kirk (Jan 10)
- Re: Getting more context in snort alerts. Jefferson, Shawn (Jan 10)
  - Re: Getting more context in snort alerts. Martin Holste (Jan 10)
- Re: Getting more context in snort alerts. Kevin Ross (Jan 11)
  - Re: Getting more context in snort alerts. Edward Fjellskål (Jan 11)