Snort mailing list archives
Re: [Snort-Users] about capturing packets
From: Kevin Ross <kevross33 () googlemail com>
Date: Tue, 14 Feb 2012 08:38:38 +0000
Yes use daemonlogger. Also use openfpc (openfpc.org) to provide an interface for that and use snorby too to tie it together with snort alerting. Make sure you have plenty space (or roll over after a certain amount). If you have the capacity to store it all and have an idea of why you want to do this (do you want to carve all files out and automatically process them for malicious artifacts, do you want to look at more detail for events surrounding the attack which I guess you do etc). Hoping to store all traffic however with the intention of just "looking through it" for suspicious stuff would be a waste of your time without clues pointing you to where you should look. I.e http://blog.damballa.com/?p=1113 :-) I always hope that a happy middle ground would be reached that could provide the packet capture for not only the alert but also surrounding sessions between the client and the attacker (not using traffic tagging in the rule options) and also all files related to it (EXEs, PDFs, Flash content etc) so you had much better forensic data without having to give up huge amounts of disk space to store it all.... Kind Regards, Kevin Ross On 14 February 2012 04:28, umakanta majhi <umakantmajhi () gmail com> wrote:
in ids mode snort alerts the packets as per the rules assigned and logs it. my Q is , is it possible to capture all the packets including these alerted packets, separately On Mon, Feb 13, 2012 at 8:21 PM, Joel Esler <jesler () sourcefire com> wrote:I'm not clear what you mean by "effected" packets? Can you clarify here? -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Feb 13, 2012, at 2:14 AM, umakanta majhi wrote: hi all can any one tell how we can log both normal packets and effected packets in IDS mode???? -- To post to this group, send email to snortusers () googlegroups com Please visit http://blog.snort.org for the latest news about Snort! -- To post to this group, send email to snortusers () googlegroups com Please visit http://blog.snort.org for the latest news about Snort!-- To post to this group, send email to snortusers () googlegroups com Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: [Snort-Users] about capturing packets Kevin Ross (Feb 13)
- <Possible follow-ups>
- Re: [Snort-Users] about capturing packets Joel Esler (Feb 13)
- Message not available
- Re: [Snort-Users] about capturing packets Kevin Ross (Feb 14)
- Re: [Snort-Users] about capturing packets Martin Holste (Feb 14)
- Re: [Snort-Users] about capturing packets Jefferson, Shawn (Feb 14)
- Message not available