Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-users digest, Vol 1 #1442 - 1 msg

From: "Joe Pampel" <joe () ardsley com>
Date: Wed, 02 Jan 2002 10:42:50 -0500
Hi - 

This was originally posted by Mr. Roesch hisownself back in October to answer a similar query.
(in this case, being triggered by a "cmd.exe" http rule triggers a 300 second traffic grab to 
catch the rest of the converstaion..)

-------------------------------------------------------
Subject: Re: [Snort-users] capturing a suspisous traffic stream
Snort can mostly do this with tags and stream4.  Write a rule like this:

alert tcp any any -> $HOME_NET 80   \
        (content: "cmd.exe";        \
        msg: "WEB cmd.exe request"; \
        tag: session, 300, seconds;)

and it'll capture the next 300 seconds worth of this session.  If you're
running stream4 and logging in -b mode, it'll also cause stream4 to dump
out the packet cache for that session when it detects the alert has gone
off, which will record some limited information about what came before
the attack packet as well (in build 81 and higher).

Not quite 100%, but getting there...

     -Marty

-----------------------------------------------------

..I liked it so much that I archived it.. ;-) 

hth,

Joe




<snort-users-request () lists sourceforge net> 01/01/02 03:17PM >>>

Send Snort-users mailing list submissions to
        snort-users () lists sourceforge net 

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-users 
or, via email, send a message with subject or body 'help' to
        snort-users-request () lists sourceforge net 

You can reach the person managing the list at
        snort-users-admin () lists sourceforge net 

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Help needed: Performance Check & Traffic Capture (Marc Dreher)

--__--__--

Message: 1
Date: Tue, 1 Jan 2002 15:47:49 +0100 (MET)
From: Marc Dreher <MarcDreher () gmx net>
To: snort-users () lists sourceforge net.
Subject: [Snort-users] Help needed: Performance Check & Traffic Capture

Hi all,

first, happy new year to everybody :-)

Now my questions. I have played with snort a bit and like it very much and
currently there are two issues I could not get an answer for so far.
1) Is it possible to check snorts performance (if packets are dropped,how
many) while running it in IDS mode. Running in packet logger mode I get this
information but I think performance is quite a bit lower when running in IDS
mode and logging to a database.

2) Also about IDS mode. Often I think it would be very usefull if I had the
traffic preceeding and following an alert, and not only the packet which
caused the alert. Fast logging format would be enough. Is there a recomended way
or possibility to achive this in IDS mode or do I have to run a second
instance of snort for this (which wouldn't do performance to good I guess)

Sorry if these questions have been posted before but I didn't find an easy
way to search the archive at geocrawler (is there one?)

Thanks for any help

Cheers

Marc

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net 




--__--__--

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net 
https://lists.sourceforge.net/lists/listinfo/snort-users 


End of Snort-users Digest


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: