Re: getting a full copy of pcap for forensic purpose from Snort

[Jeremy Hoel <jthoel () gmail com>]

We use daemonlogger, snort and cxtracker all listening to the same NIC;
it's not that busy in most cases 100-300MB on the worst box, but we have no
issues.  We use OpenFPC as the controlling agent for daemonlogger and
cxtracker it we can pull pcaps from all our sensors with just one script.
 It works great.

All of this is on CentOS 6.x boxes too.. so nothing exotic or crazy.


On Thu, Mar 20, 2014 at 1:48 PM, Long, Kerry S <kslong () mitre org> wrote:

>  I looked at daemonlogger before.  I looked kind of cool.  Not sure how I
> get it to listen to the interface to dump packets, while at the same time
> feeding snort with it in real time. I could have both Snort and
> daemonlogger read from the same interface. However, I have been cautioned
> by others and seen it myself that having 2 processes listening to the same
> interface at the same time can cause competition which can cause packet
> loss for one or both of the listening processes.  So I don't know if it is
> permissible to have  both processes listening on the interface at the same
> time.  Won't that just guarantee packet loss or is this not as much of
> concern anymore with multiple core machines?
>
>
>
>
>
> Thanks,
>
>
>
> Kerry
>
>
>
>
>
>
>
> *From:* Joel Esler (jesler) [mailto:jesler () cisco com]
> *Sent:* Thursday, March 20, 2014 9:38 AM
> *To:* Long, Kerry S
> *Cc:* snort-users () lists sourceforge net
> *Subject:* Re: [Snort-users] getting a full copy of pcap for forensic
> purposes from Snort
>
>
>
>
>
> On Mar 20, 2014, at 9:26 AM, Long, Kerry S <kslong () mitre org> wrote:
>
>
>
>   I am trying to create a sensor with Snort that has Snort listening on
> the interface processing rules and such while also creating a full copy of
> pcap seen on the interface for forensic purposes.  I have enough storage to
> hold about a month of pcap in this instance.  I am familiar with the
> capability of using a log rule to log packets but the problem is that the
> pcap has to go through all the alert rules first it seems before it can be
> logged.  The problem is that packets can be dropped as the amount of
> network traffic increases during the day.
>
>
>
> I have tried using this in my config file to alleviate the problem:
>
>
>
> # Per Packet latency configuration
>
> config ppm: max-pkt-time 100, \
>
>    fastpath-expensive-packets, \
>
>    pkt-log
>
>
>
> and this has helped somewhat but I am still not logging some packets
> (which for a forensic record is bad) and I am missing the benefit of
> several snort rules that take more than 100 usecs.
>
>
>
>
>
> Any ideas how I can get Snort to both log all packets to disk and alert on
> traffic it sees on the interface.
>
>
>
> Daemonlogger is probably better for simply logging packets to disk, as it
> has some capabilities that Snort does not:
>
>
>
> http://sourceforge.net/projects/daemonlogger/
>
>
>
> That way Snort can perform the IDS function and Daemonlogger can perform
> the traffic logging function.
>
>
>
> --
> *Joel Esler*
> Open Source Manager
> Threat Intelligence Team Lead
> Vulnerability Research Team
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/13534_NeoTech
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!