Snort mailing list archives
Re: tcpdump script
From: Nigel Houghton <nhoughton () sourcefire com>
Date: Wed, 8 Apr 2009 08:43:03 -0400
On Wed, Apr 8, 2009 at 8:01 AM, Nathaniel Richmond <nate+snort () richmond-family org> wrote:
Leon Ward wrote:
The method I use is to keep a limited cache of network traffic via tcpdump's ringbuffer mode, a few 100MB of pcap data. When Snort raises an alert, a process automatically kicks off that extracts the session that caused the alert from the ringbuffer and stores it for prosperity.Another option might be using a second system for packet capture or capturing on one interface and sending it out another interface to a system with more storage. Sguil supports keeping the packet logs on a separate system from the one running Snort. If needed, you can also use BPFs to reduce the amount of traffic captured.I find that this trade-off of storage vs traffic context works great for me. I have a syn->fin pcap for every event i'm interested in without keeping terabytes of traffic hanging around until I get round to analysing an event. I have some working scripts that I could provide if anyone wants them, but I would have to censor them a bit before they can be shared. Let me know.This is definitely better than nothing, but Snort doesn't catch everything so only capturing data related to alerts still leaves room for improvement. Having session data plus packet captures has helped me find plenty of activity that never alerted but was still malicious. It also allows me to go through sessions to packet captures before or after an alert to see how a system was compromised, whether the alert was valid, get a better context, see what an attacker or system did after being exploited, etc. Don't get me wrong, I'm not saying you're doing it wrong, just offering some other suggestions for you or others that are reading.
Quoting Leon to make it clear what he actually stated: "The method I use is to keep a limited cache of network traffic via tcpdump's ringbuffer mode, a few 100MB of pcap data. When Snort raises an alert, a process automatically kicks off that extracts the session that caused the alert from the ringbuffer and stores it for prosperity." In short, Leon is not using Snort to grab the packets. He is getting full session data for the event and IMNSHO he's doing it elegantly. p.s. *Everyone* should have upgraded to Snort 2.8.4 already, if not, do it now. -- Nigel Houghton Head Mentalist SF VRT http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/ ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: tcpdump script, (continued)
- Re: tcpdump script Joel Esler (Apr 07)
- Re: tcpdump script Bamm Visscher (Apr 07)
- Re: tcpdump script Nathaniel Richmond (Apr 07)
- Re: tcpdump script Leon Ward (Apr 08)
- Re: tcpdump script Jack Pepper (Apr 08)
- Re: tcpdump script Leon Ward (Apr 08)
- Re: tcpdump script Jason Brvenik (Apr 08)
- Re: tcpdump script Leon Ward (Apr 09)
- Re: tcpdump script John Hally (Apr 08)
- Re: tcpdump script Leon Ward (Apr 08)
- Re: tcpdump script Nathaniel Richmond (Apr 08)
- Re: tcpdump script Nigel Houghton (Apr 08)
- Message not available
- Re: tcpdump script Nathaniel Richmond (Apr 08)
- Re: tcpdump script Will Metcalf (Apr 08)