Snort mailing list archives
Re: [Snort-Users] about capturing packets
From: Martin Holste <mcholste () gmail com>
Date: Tue, 14 Feb 2012 08:57:46 -0600
I always hope that a happy middle ground would be reached that could provide the packet capture for not only the alert but also surrounding sessions between the client and the attacker (not using traffic tagging in the rule options) and also all files related to it (EXEs, PDFs, Flash content etc) so you had much better forensic data without having to give up huge amounts of disk space to store it all....
That's exactly what streamdb.googlecode.com does, like this: http://streamdb/?srcip=1.1.1.1&dstip=2.2.2.2&filetype=executable or filetype=pdf, etc. It will handle all of the HTTP gunzipping/dechunking, and the runs a file magic on the HTTP response payload. It will then provide a distinct object id (oid) for the extracted object so you can refer to it directly, (even when there are many objects in the same TCP flow) which is great for attaching to tickets or putting into sandbox submission scripts. It also allows for PCRE searches (&pcre=) and uses OpenFPC-compatible URI patterns so it can be a drop-in replacement for any OpenFPC installation. Another important difference is that it has a configurable limit on how much of the flow to capture, (one megabyte by default) which will greatly improve the utility of your disk. It does all of this in less than one second even on a 10 TB data store, because the flows themselves are indexed by IP and timestamp. We run full pcap alongside StreamDB and almost never need to go back and wait around to grab pcap. ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: [Snort-Users] about capturing packets Kevin Ross (Feb 13)
- <Possible follow-ups>
- Re: [Snort-Users] about capturing packets Joel Esler (Feb 13)
- Message not available
- Re: [Snort-Users] about capturing packets Kevin Ross (Feb 14)
- Re: [Snort-Users] about capturing packets Martin Holste (Feb 14)
- Re: [Snort-Users] about capturing packets Jefferson, Shawn (Feb 14)
- Message not available