Snort mailing list archives
Re: simultaneous snort and tcpdump
From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 26 Sep 2002 21:30:07 -0400
Hi Carl, You should use tags to record follow-on traffic. Traffic preceding the event is a lot harder, we'd have to have some sort of packet buffering mechanism that could keep the packets around for a relatively long period of time and then you'd have to search that buffer in the event of a detection. We could do something like a ring buffer that just overwrites its tail over time without getting too crazy, but it'd be best to multi-thread it so that packet acquisition could continue while Snort does its job. Searching the whole buffer to dump packets that precede the event traffic is potentially a very slow process, which could lead to issues. Additionally, the amount of traffic buffered before the event couldn't be guaranteed, so you could never guarantee that you'd get the 10 packets before the event. So that's the scoop. If anyone wants to tackle the hard end of the problem I'd be interested in seeing the solution you come up with. Tagging is in the "Writing Rules" document at snort.org, if you have any problems using them, let me know. -Marty On 9/26/02 4:47 PM, "Carl Gibbons" <cgibbons () du edu> wrote:
Okay, here's an example of what I'd like: for every snort alert, don't just save (into mmdd () hhmm-snort log) the packet that caused the alert, but also save the ten preceeding and ten succeeding packets between the same hosts. This is why I am running tcpdump and snort simultaneously. My question remains. Sorry, Jason, but your "RTFM" suggestion to craft a clever snort rule doesn't help. - Carl On Sun, 22 Sep 2002, Jason wrote:create a rule that matches the other interesting traffic. look at the docs for creating rules on snort.org Carl Gibbons wrote:Thanks, Bennett and Gary. I was needlessly complicating matters. Perhaps I still am: one reason I want simultaneous snort/tcpdump is that "snort -b" only seems to record packets on which it finds a rule match, and I want to record other traffic as well. Perhaps there's an elegant, efficient way to do so with a single snort process? - Carl------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- simultaneous snort and tcpdump Carl Gibbons (Sep 20)
- Re: simultaneous snort and tcpdump Bennett Todd (Sep 20)
- Re: simultaneous snort and tcpdump Gary Flynn (Sep 20)
- Re: simultaneous snort and tcpdump Carl Gibbons (Sep 21)
- Re: simultaneous snort and tcpdump Jason (Sep 22)
- Re: simultaneous snort and tcpdump Carl Gibbons (Sep 26)
- Re: simultaneous snort and tcpdump Bennett Todd (Sep 26)
- Re: simultaneous snort and tcpdump Carl Gibbons (Sep 26)
- Re: simultaneous snort and tcpdump Jason (Sep 26)
- Re: simultaneous snort and tcpdump Gary Flynn (Sep 20)
- Re: simultaneous snort and tcpdump Gary Flynn (Sep 26)
- Re: simultaneous snort and tcpdump Martin Roesch (Sep 26)
- Re: simultaneous snort and tcpdump Bennett Todd (Sep 20)