Snort mailing list archives
Re: Getting more context in snort alerts.
From: Martin Holste <mcholste () gmail com>
Date: Mon, 10 Jan 2011 20:17:29 -0600
All listed are fine options--I'll add one more: log all web requests with httpry so that you can quickly grep for the HTTP request/response involved with an alert, because let's face it, the vast majority of alerts that need investigating are web-related. httpry uses surprisingly few resources, so it makes a great Snort companion. On Mon, Jan 10, 2011 at 4:13 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com> wrote:
Sguil is supposed to be quite good for this. I personally am actually doing what you describe (actually using Daemonlogger and some custom scripts to gzip, store, and rollover the packet captures.) I am moving towards OpenPFC though in the next couple of weeks. From: sudhakar govindavajhala [mailto:sudhakarg79spam () gmail com] Sent: Monday, January 10, 2011 10:00 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Getting more context in snort alerts. Hi Snort folks, When Snort identifies something as an attack, it currently only shows me the single packet that triggered the alarm. It does not show me enough context to make an informed decision. Do you have any suggestions on how I could get more context? Is this something that Snort supports relatively out of the box or do I have to write lots of code? A silly option would be to use tcpdump to log all packets and then search the logs. Is there a better approach? Thanks, Sudhakar. ------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Getting more context in snort alerts. sudhakar govindavajhala (Jan 10)
- Re: Getting more context in snort alerts. Richard Bejtlich (Jan 10)
- Re: Getting more context in snort alerts. beenph (Jan 10)
- Re: Getting more context in snort alerts. Edward Fjellskål (Jan 10)
- searching for " in content Don Florence (Jan 10)
- Re: searching for " in content Alex Kirk (Jan 10)
- Re: Getting more context in snort alerts. Jefferson, Shawn (Jan 10)
- Re: Getting more context in snort alerts. Martin Holste (Jan 10)
- Re: Getting more context in snort alerts. Kevin Ross (Jan 11)
- Re: Getting more context in snort alerts. Edward Fjellskål (Jan 11)
- Re: Getting more context in snort alerts. Richard Bejtlich (Jan 10)