Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-Users] about capturing packets

From: Kevin Ross <kevross33 () googlemail com>
Date: Tue, 14 Feb 2012 08:38:38 +0000
Yes use daemonlogger. Also use openfpc (openfpc.org) to provide an
interface for that and use snorby too to tie it together with snort
alerting. Make sure you have plenty space (or roll over after a certain
amount). If you have the capacity to store it all and have an idea of why
you want to do this (do you want to carve all files out and automatically
process them for malicious artifacts, do you want to look at more detail
for events surrounding the attack which I guess you do etc). Hoping to
store all traffic however with the intention of just "looking through it"
for suspicious stuff would be a waste of your time without clues pointing
you to where you should look. I.e http://blog.damballa.com/?p=1113 :-)

I always hope that a happy middle ground would be reached that could
provide the packet capture for not only the alert but also surrounding
sessions between the client and the attacker (not using traffic tagging in
the rule options) and also all files related to it (EXEs, PDFs, Flash
content etc) so you had much better forensic data without having to give up
huge amounts of disk space to store it all....

Kind Regards,
Kevin Ross


On 14 February 2012 04:28, umakanta majhi <umakantmajhi () gmail com> wrote:


in ids mode snort alerts the packets as per the rules assigned and logs
it. my  Q is , is it possible to capture all the packets including these
alerted packets, separately



On Mon, Feb 13, 2012 at 8:21 PM, Joel Esler <jesler () sourcefire com> wrote:


I'm not clear what you mean by "effected" packets?

Can you clarify here?

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Feb 13, 2012, at 2:14 AM, umakanta majhi wrote:

hi all

can any one tell how we can log both normal packets and effected packets
in IDS mode????

--
To post to this group, send email to snortusers () googlegroups com


Please visit http://blog.snort.org for the latest news about Snort!


 --
To post to this group, send email to snortusers () googlegroups com


Please visit http://blog.snort.org for the latest news about Snort!



 --
To post to this group, send email to snortusers () googlegroups com


Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: