Snort mailing list archives
Re: tcpdump script
From: Leon Ward <seclists () rm-rf co uk>
Date: Wed, 8 Apr 2009 10:03:38 +0100
Hello. I have limited storage available on the sensor that I run Snort on that protects my live systems, but I still wanted more data available for post-event detection analysis than what's contained in the event log. The method I use is to keep a limited cache of network traffic via tcpdump's ringbuffer mode, a few 100MB of pcap data. When Snort raises an alert, a process automatically kicks off that extracts the session that caused the alert from the ringbuffer and stores it for prosperity. I find that this trade-off of storage vs traffic context works great for me. I have a syn->fin pcap for every event i'm interested in without keeping terabytes of traffic hanging around until I get round to analysing an event. I have some working scripts that I could provide if anyone wants them, but I would have to censor them a bit before they can be shared. Let me know. -Leon On Wed, Apr 8, 2009 at 1:25 AM, Nathaniel Richmond < nate+snort () richmond-family org <nate%2Bsnort () richmond-family org>> wrote:
Jefferson, Shawn wrote:Hi, I wanted to run tcpdump to capture all traffic on my snort sensor, so that if I want to go take a look at traffic based on snort alerts I could get more context. I've setup a couple of scripts to gzip the packet captures and send them to a storage server. My question is about starting tcpdump itself. I tried doing it in the same script that starts snort and barnyard, but this didn't seem to work and I think it's due to the fact that tcpdump needs to be run as root (?). So, I've created a root cron job that runs every five minutes will start tcpdump if it finds it not running (using "pidof tcpdump").Have you looked at Sguil since it is designed with full packet capture in mind? It includes scripts that support either Snort in packet logging mode or daemonlogger (recommended) to capture traffic. You use cron to check partition usage and remove the old pcaps at whatever interval is appropriate. Sguil is designed to leave the pcaps on the sensor(s) and only retrieve the traffic that you want to look at. You use either an alert or session data as a starting point to tell Sguil what pcaps you want to retrieve and view either in ASCII or with a tool like Wireshark. www.sguil.net http://nsmwiki.org/SguilNot being a linux guru, is this the right way to approach this problem? Thanks, Shawn------------------------------------------------------------------------------This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now!http://p.sf.net/sfu/www-ibm-com_______________________________________________Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- tcpdump script Jefferson, Shawn (Apr 07)
- Re: tcpdump script Joel Esler (Apr 07)
- Re: tcpdump script Jason Brvenik (Apr 07)
- Re: tcpdump script Joel Esler (Apr 07)
- Re: tcpdump script Bamm Visscher (Apr 07)
- <Possible follow-ups>
- Re: tcpdump script Nathaniel Richmond (Apr 07)
- Re: tcpdump script Leon Ward (Apr 08)
- Re: tcpdump script Jack Pepper (Apr 08)
- Re: tcpdump script Leon Ward (Apr 08)
- Re: tcpdump script Jason Brvenik (Apr 08)
- Re: tcpdump script Leon Ward (Apr 09)
- Re: tcpdump script John Hally (Apr 08)
- Re: tcpdump script Leon Ward (Apr 08)
- Re: tcpdump script Nathaniel Richmond (Apr 08)
- Re: tcpdump script Nigel Houghton (Apr 08)
- Message not available
- Re: tcpdump script Nathaniel Richmond (Apr 08)
- Re: tcpdump script Will Metcalf (Apr 08)