Snort mailing list archives
Re: Ignoring Backups - TCP Stateful?
From: Doug Burks <doug.burks () gmail com>
Date: Wed, 3 Dec 2014 13:59:13 -0500
Hi colony.three, Replies inline. On Wed, Dec 3, 2014 at 11:53 AM, colony.three <colony.three () protonmail ch> wrote:
Can anyone advise? -------- Original Message -------- Subject: Ignoring Backups - TCP Stateful? Time (GMT): Nov 30 2014 17:26:14 From: colony.three () protonmail ch To: snort-users () lists sourceforge net Today is backups day. I certainly can't be logging backup packets, because I have 10TB to back up and the SecurityOnion disk is only 100GB. And there's no use in it anyway. I need to Ignore this stream. So I've moved rsync backups of machines on my LAN to port 8027, so I can set bpf.conf to Ignore traffic on that port. I wish I could set it to Ignore for a certain time period, but it seems that's not possible.
You could write a cron job that would fire at the beginning of your backup window that would put the BPF in place and restart the appropriate services. Then write a second cron job that would fire at the end of your backup window to remove the BPF and restart the appropriate services.
# Backups not(tcp src host 192.168.1.4 and (tcp src port 8027)) I think this should not log packets -from- the backups machine (.4) requesting the backup, but what about the responses? These will likely come back on different src and dst ports which there is no way of predicting. If packet capture for tcp is stateful, I should be OK. But somehow I doubt the various SecurityOnion apps assemble tcp packet streams statefully, real-time. I can see how to assemble them later for analysis, but not real-time. Is there a recommended way to -not- save backup packets to disk in this situation?
Have you seen the BPF page on our Wiki? https://code.google.com/p/security-onion/wiki/BPF There are some good examples there and also some good links on how to troubleshoot BPF using tcpdump. -- Doug Burks Need Security Onion Training or Commercial Support? http://securityonionsolutions.com Last day to register for 3-Day Training Class in Augusta GA is 12/11! ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Ignoring Backups - TCP Stateful? colony.three (Dec 03)
- Re: Ignoring Backups - TCP Stateful? Doug Burks (Dec 03)
- <Possible follow-ups>
- Re: Ignoring Backups - TCP Stateful? Colony.Three (Dec 03)
- Re: Ignoring Backups - TCP Stateful? Doug Burks (Dec 04)
- Re: Ignoring Backups - TCP Stateful? Colony.Three (Dec 04)
- Re: Ignoring Backups - TCP Stateful? Colony.Three (Dec 05)
- Re: Ignoring Backups - TCP Stateful? Doug Burks (Dec 05)
- Re: Ignoring Backups - TCP Stateful? Colony.Three (Dec 05)
- Re: Ignoring Backups - TCP Stateful? Doug Burks (Dec 05)
- Re: Ignoring Backups - TCP Stateful? Colony.Three (Dec 05)
- Re: Ignoring Backups - TCP Stateful? Doug Burks (Dec 05)
- Re: Ignoring Backups - TCP Stateful? Colony.Three (Dec 05)
(Thread continues...)