Snort mailing list archives
Re: Traffic 'surrounding' an alert (was: Help needed: Performance ...)
From: Chris Green <cmg () uab edu>
Date: Wed, 02 Jan 2002 14:01:04 -0600
Marc Dreher <MarcDreher () gmx net> writes:
Hi Erek, I found a few posts on tagging and the feature looks good. Allthough I am not sure if it is advisable to simple add tagging to every signature.
Only on signatures that you really care about. In my environment I use it to determine if exploits were successful or not ( if they don't have a simple "match a attack.response" rule for 50mbit of traffic.
The reason I want to caputre the whole traffic is, that if there is some kind of alert which requires further investigation the ability to pull the surrounding traffic might come in handy. Lately I read that "being able to pull all the traffic from a host is very valuable when doing analysis. If your IDS does not support this, beat on your vendor" ;-) As there is no beating needed in regard of snort my only problem is to find the best way to achive this from a performance point of view. As I will be having multiple sensors monitoring everything from quite 10MBit workgroup LANs to a rather busy 100Mbit Backbone I can (mostly) only have one machine doing the alerting in IDS mode and the complete (fast mode) traffic captureing as well. Is this practical at all? Has anybody gathered experience on this issue? Suggestions?
Quite frankly, I think not getting the extra data wastes a lot of time having to walk admins through "is your machine patched" when you are dealing with anything other than a small lan and you can know what services are running. I have 1 machine doing binary and fast mode logging with not too big of a problem. The main trick is to choose rules that you care about and avoid any any -> any any rules ( mainly the shellcode rules ) except on ports you'd expect them on. It's not perfect unfortuatenly but IDS, if it caputures real hacks, has already shown you that its not a perfect world. -- Chris Green <cmg () uab edu> Fame may be fleeting but obscurity is forever. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help needed: Performance Check & Traffic Capture Marc Dreher (Jan 01)
- Re: Help needed: Performance Check & Traffic Capture Erek Adams (Jan 01)
- Re: Help needed: Performance Check & Traffic Capture David Lambert (Jan 01)
- Re: Traffic 'surrounding' an alert (was: Help needed: Performance ...) Marc Dreher (Jan 02)
- Re: Traffic 'surrounding' an alert (was: Help needed: Performance ...) Chris Green (Jan 02)
- <Possible follow-ups>
- Re: Help needed: Performance Check & Traffic Capture Erek Adams (Jan 01)
- Re: Help needed: Performance Check & Traffic Capture David Lambert (Jan 01)
- Re: Help needed: Performance Check & Traffic Capture David Lambert (Jan 01)
- Re: Help needed: Performance Check & Traffic Capture Phil Wood (Jan 01)
- Re: Help needed: Performance Check & Traffic Capture David Lambert (Jan 02)
- Re: Help needed: Performance Check & Traffic Capture Marc Dreher (Jan 02)
- Re: Help needed: Performance Check & Traffic Capture Erek Adams (Jan 01)