Re: Tagging

["Steve Crow" <scrow () amarilloheartgroup com>]

You might consider SiLk for efficiently collecting lots of the data for
later analysis:

https://tools.netsa.cert.org/silk/

Steve Crow

-----Original Message-----
From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com] 
Sent: Friday, May 23, 2014 11:24 AM
To: Turnbough, Bradley E.; Snortusers
Subject: Re: [Snort-users] Tagging

Personally, I think the only good "free" solution to this is combining Snort
with some sort of full packet capture.  I personally use both streamDB and
OpenFPC, and have hacked BASE to allow lookup to both of these.  Snorby can
use both of them (although last I checked only one or the other) in a
similar manner.

-----Original Message-----
From: Turnbough, Bradley E. [mailto:bturnbough () belcan com]
Sent: May 21, 2014 6:26 AM
To: Snortusers
Subject: Re: [Snort-users] Tagging

Hi Matheus,

I've asked almost this exact question before and didn't really receive a
decent response.

I have a sensor sitting in between my proxy and my internet connection.  The
IDS alerts on various things, but it only provides the data that trips the
alert.  It doesn't provide the preceeding 'x' number of packets that contain
the metadata.  Makes it very difficult to troubleshoot if you can't
determine the 'x-forwarded-for'.


________________________________
From: Matheus Condi'ez [conma293 () gmail com]
Sent: Tuesday, May 20, 2014 11:07 PM
To: Snortusers
Subject: [Snort-users] Tagging

Hey guys,

Im beginning to muddle around with tagging, can seemingly get the rules to
fire off quite easily and tag 'full' packets for x amount of time, bytes etc
...

But then this gets lumped into the U2 files and processed by Barnyard2 -->
what im wondering is how the packets in addition to the alerting packet get
processed by BY2 output so that it would come up as the whole payload in a
snorby or tripwire interface...

any takers?
_____________________________________________________________ This e-mail
transmission contains information that is confidential and may be
privileged. It is intended only for the addressee(s) named above. If you
receive this e-mail in error, please do not read, copy or disseminate it in
any manner. If you are not the intended recipient, any disclosure, copying,
distribution or use of the contents of this information is prohibited.
Please reply to the message immediately by informing the sender that the
message was misdirected. After replying, please erase it from your computer
system. Your assistance in correcting this error is appreciated.

----------------------------------------------------------------------------
--
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform
available Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!

----------------------------------------------------------------------------
--
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform
available Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!


------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!