Snort mailing list archives

Re: tcpdump script

From: "Nathaniel Richmond" <nate+snort () richmond-family org>
Date: Wed, 8 Apr 2009 08:01:12 -0400 (EDT)

Leon Ward wrote:

Hello.

I have limited storage available on the sensor that I run Snort on
that
protects my live systems, but I still wanted more data available for
post-event detection analysis than what's contained in the event
log.

The method I use is to keep a limited cache of network traffic via
tcpdump's
ringbuffer mode, a few 100MB of pcap data. When Snort raises an
alert, a
process automatically kicks off that extracts the session that
caused the
alert from the ringbuffer and stores it for prosperity.


Another option might be using a second system for packet capture or
capturing on one interface and sending it out another interface to a
system with more storage. Sguil supports keeping the packet logs on
a separate system from the one running Snort. If needed, you can
also use BPFs to reduce the amount of traffic captured.

I find that this trade-off of storage vs traffic context works great
for me.
I have a syn->fin pcap for every event i'm interested in without
keeping
terabytes of traffic hanging around until I get round to  analysing
an
event.

I have some working scripts that I could provide if anyone wants
them, but I
would have to censor them a bit before they can be shared. Let me
know.


This is definitely better than nothing, but Snort doesn't catch
everything so only capturing data related to alerts still leaves
room for improvement. Having session data plus packet captures has
helped me find plenty of activity that never alerted but was still
malicious. It also allows me to go through sessions to packet
captures before or after an alert to see how a system was
compromised, whether the alert was valid, get a better context, see
what an attacker or system did after being exploited, etc.

Don't get me wrong, I'm not saying you're doing it wrong, just
offering some other suggestions for you or others that are reading.

------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: tcpdump script, (continued)
- Re: tcpdump script Jason Brvenik (Apr 07)
  - Re: tcpdump script Joel Esler (Apr 07)
- Re: tcpdump script Bamm Visscher (Apr 07)
- Re: tcpdump script Nathaniel Richmond (Apr 07)
  - Re: tcpdump script Leon Ward (Apr 08)
    - Re: tcpdump script Jack Pepper (Apr 08)
    - Re: tcpdump script Leon Ward (Apr 08)
    - Re: tcpdump script Jason Brvenik (Apr 08)
    - Re: tcpdump script Leon Ward (Apr 09)
    - Re: tcpdump script John Hally (Apr 08)
  - Message not available
    - Re: tcpdump script Nathaniel Richmond (Apr 08)
    - Re: tcpdump script Nigel Houghton (Apr 08)
    - Message not available
    - Re: tcpdump script Nathaniel Richmond (Apr 08)
    - Re: tcpdump script Will Metcalf (Apr 08)