Snort mailing list archives
Re: Tagging
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Wed, 21 May 2014 22:17:45 +0000
The SOURCEfire commercial product. -- Joel Esler Sent from my iPhone On May 21, 2014, at 15:16, "Matheus Condi'ez" <conma293 () gmail com<mailto:conma293 () gmail com>> wrote: right what commercial product? I just tested out the rule - it just gives me 2500 single events which if pcap'd would be able to reassemble quite nicely, so snort/barnyard2 doesnt have a tool to output/carve the pcaps ? On Thu, May 22, 2014 at 5:30 AM, Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> wrote: The answer is, I don’t think there is an "open source” interface that correlates these events together. Our commercial product does so, but I’m not aware of any GUI that takes the events and mashes them together. On May 21, 2014, at 6:25 AM, Turnbough, Bradley E. <bturnbough () belcan com<mailto:bturnbough () belcan com>> wrote:
Hi Matheus, I've asked almost this exact question before and didn't really receive a decent response. I have a sensor sitting in between my proxy and my internet connection. The IDS alerts on various things, but it only provides the data that trips the alert. It doesn't provide the preceeding 'x' number of packets that contain the metadata. Makes it very difficult to troubleshoot if you can't determine the 'x-forwarded-for'. ________________________________ From: Matheus Condi'ez [conma293 () gmail com<mailto:conma293 () gmail com>] Sent: Tuesday, May 20, 2014 11:07 PM To: Snortusers Subject: [Snort-users] Tagging Hey guys, Im beginning to muddle around with tagging, can seemingly get the rules to fire off quite easily and tag 'full' packets for x amount of time, bytes etc ... But then this gets lumped into the U2 files and processed by Barnyard2 --> what im wondering is how the packets in addition to the alerting packet get processed by BY2 output so that it would come up as the whole payload in a snorby or tripwire interface... any takers? _____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Tagging Matheus Condi'ez (May 20)
- Re: Tagging Turnbough, Bradley E. (May 21)
- Re: Tagging Joel Esler (jesler) (May 21)
- Re: Tagging Matheus Condi'ez (May 21)
- Re: Tagging Joel Esler (jesler) (May 21)
- Re: Tagging Joel Esler (jesler) (May 21)
- Re: Tagging Jefferson, Shawn (May 23)
- Re: Tagging Steve Crow (May 23)
- Re: Tagging Vivek Rajagopalan (May 24)
- Re: Tagging Turnbough, Bradley E. (May 21)