Re: [Snort-Users] about capturing packets

[Martin Holste <mcholste () gmail com>]

> I always hope that a happy middle ground would be reached that could provide
> the packet capture for not only the alert but also surrounding sessions
> between the client and the attacker (not using traffic tagging in the rule
> options) and also all files related to it (EXEs, PDFs, Flash content etc) so
> you had much better forensic data without having to give up huge amounts of
> disk space to store it all....

That's exactly what streamdb.googlecode.com does, like this:

http://streamdb/?srcip=1.1.1.1&dstip=2.2.2.2&filetype=executable

or filetype=pdf, etc.  It will handle all of the HTTP
gunzipping/dechunking, and the runs a file magic on the HTTP response
payload.  It will then provide a distinct object id (oid) for the
extracted object so you can refer to it directly, (even when there are
many objects in the same TCP flow) which is great for attaching to
tickets or putting into sandbox submission scripts.  It also allows
for PCRE searches (&pcre=) and uses OpenFPC-compatible URI patterns so
it can be a drop-in replacement for any OpenFPC installation.  Another
important difference is that it has a configurable limit on how much
of the flow to capture, (one megabyte by default) which will greatly
improve the utility of your disk.

It does all of this in less than one second even on a 10 TB data
store, because the flows themselves are indexed by IP and timestamp.

We run full pcap alongside StreamDB and almost never need to go back
and wait around to grab pcap.

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!