Re: Getting more context in snort alerts.

["Jefferson, Shawn" <Shawn.Jefferson () bcferries com>]

Sguil is supposed to be quite good for this.  I personally am actually doing what you describe (actually using 
Daemonlogger and some custom scripts to gzip, store, and rollover the packet captures.)  I am moving towards OpenPFC 
though in the next couple of weeks.
 
 
 
From: sudhakar govindavajhala [mailto:sudhakarg79spam () gmail com] 
Sent: Monday, January 10, 2011 10:00 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Getting more context in snort alerts.


Hi Snort folks,
 
 
When Snort identifies something as an attack, it currently only shows me the single packet that triggered the alarm. It 
does not show me enough context to make an informed decision.
 
 
Do you have any suggestions on how I could get more context?  Is this something that Snort supports relatively out of 
the box or do I have to write lots of code?   A silly option would be to use tcpdump to log all packets and then search 
the logs.    Is there a better approach?
 
 
Thanks,
Sudhakar.

------------------------------------------------------------------------------
Gaining the trust of online customers is vital for the success of any company
that requires sensitive data to be transmitted over the Web.   Learn how to 
best implement a security strategy that keeps consumers' information secure 
and instills the confidence they need to proceed with transactions.
http://p.sf.net/sfu/oracle-sfdevnl 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users