Snort mailing list archives
NIDS Packet Capture Problem
From: Shishir Tejpal <tejp8050 () uidaho edu>
Date: Tue, 14 Oct 2003 23:55:25 -0700
Hi all, I am working on a graduate project for which I require clean log files which contain only valid network data w/o port scans and even remove attacks if they are present. This log file will be used as a training set for anomaly detection. The problem that I am having is that I am running two snort programs one as a NIDS and the other as a Sniffer both log the packets in TCPDUMP format. Now in order to get a clean log file (contain only clean n/w traffic) I only write packets from the sniffer which are not in the present in the NIDS log file. This is a very unelegant way since I have a lot of log files from the summer containing packtes captured by a sniffer which in all probability are infected with lots of scan attempts. Does anybody know of a way that I can only log packets which do not pass any rule (i.e they could be considered normal) This would save a lot of computing time and could easily be automated. I am running snort on a win box. Thanking you in advance Shishir Tejpal
Current thread:
- NIDS Packet Capture Problem Shishir Tejpal (Oct 15)
- <Possible follow-ups>
- NIDS Packet Capture Problem Shishir Tejpal (Oct 15)
- RE: NIDS Packet Capture Problem Gordon Cunningham (Oct 15)