[Snort-users] Database plugin question

Phil Wood cpw at ...440...
Wed Aug 14 16:32:03 EDT 2002


On Wed, Aug 14, 2002 at 12:33:24PM -0500, Radu Brumariu wrote:
> Yes, this is very close to what i thought. 
> Acctually I have some trace files, that I want to filter through snort,
> but i need the database populated with all the packets found in the
> trace. that's because I want to initially remove some rules and then try
> to produce them , using some algorithm. I just need to run the algorithm
> on the whole database, ip or not ip, just everything that the nic will

what will be your variables, mac, frame size, and encapsulation?  That's
about the only thing ip and not ip have in common.

> see.
> I am also considering modifying tcpdump so it will log to a database
> rather than flat file.

In your case, there are no rules, so you might get your process to log to
a database without impacting the collection process.

I would do database stuff after the fact.  In my case, we have just too much
traffic.  If I enable database in snort (or in tcpdump assuming it existed),
I would lose lots of packets.

I'm running the full rules set as distributed (leaving the comment'd ones
alone, so the pattern searching and other pre-processing cause some delay
between each packet that can become a problem at higher packet rates).

I'm already losing up to 500,000 on a daily basis while just using the -b
option, 'cause I haven't removed some of the rules that, although they
indicate someone is hacking, have no relation to our world (I'm on the
outside of a firewall which drops these bad boys).

I'm a believer in post processing.  However, for a selected set of rules, ones
that really mean that someone has just compromised an sshd with an as yet
unknown vulnerability, I send a page the second it shows up in syslog (using
the old tail -f syslog trick with a few heuristics thrown in so I don't get
inundated).

FYI, here is a summary of our traffic (not alerts, which are between 1 and 2
million every day), for the past few days.  Each line represents about 24 hours
of traffic.

File                  packets     pps seconds  drops  alerts
20020729.0000.stats 688687556 7976.81   86399 507263 1003325
20020730.0000.stats 643468531 7450.67   86398 257396 1059096
20020731.0000.stats 633146795 7328.38   86398  16330  969309
20020801.0000.stats 479954493 5555.10   86398      0 1034750
20020802.0000.stats 331885237 3841.31   86398      0  733700

20020805.0000.stats 589246551 6820.00   86399      0 1361559
20020806.0000.stats 637745363 7381.44   86398   1320 1333748
20020807.0000.stats 574851915 6653.70   86398  17523 1613854
20020808.0000.stats 609534381 7057.84   86398 254689 1252662
20020809.0000.stats 439044695 5081.59   86399      0 1629471

20020812.0000.stats 522056702 6042.34   86399      0 1333786   

> 
> Let me know what you think.
> 
> Thanks,
> Radu
> 
> 
> 
> On Wed, 2002-08-14 at 16:31, Phil Wood wrote:
> > On Wed, Aug 14, 2002 at 10:13:47AM -0500, Radu Brumariu wrote:
> > > 
> > > Thanks, Jeffrey for the input. 
> > > However, I would like snort to log _all_ the packets that it sees,
> > > including arp,igrp,gre, etc.
> > 
> > I would use tcpdump for that:
> > 
> >   tcpdump -i eth0 -w pcapfile -s 1514
> > 
> > You can even feed that file into snort for analysis.  Instead of -i, use
> > 
> >   -r pcapfile
> > 
> > snort does not handle non ip packets.  You could use snort to grab the
> > ip packets with the rule supplied by Jeffrey, and you could use tcpdump at
> > the same time to get all the non-ip packets with the following:
> > 
> >   tcpdump -i eth0 -w pcapfile -s 1514 not ip
> > 
> > > 
> > > Radu
> > > 
> > > 
> > > On Wed, 2002-08-14 at 14:42, Dell, Jeffrey wrote:
> > > > Use the rule:
> > > > 
> > > > log ip any any <> any any 
> > > > 
> > > > This will log all ip packets.
> > > > 
> > > > -----Original Message-----
> > > > From: Radu Brumariu [mailto:brumariur at ...908...] 
> > > > Sent: Wednesday, August 14, 2002 10:27 AM
> > > > To: snort-users at lists.sourceforge.net
> > > > Subject: [Snort-users] Database plugin question
> > > > 
> > > > 
> > > > 
> > > > Hi all,
> > > > I would like to know if it is possible to trick snort into logging every
> > > > packet that it sees to the database rather then log|alert?
> > > > 
> > > > thanks,
> > > > Radu
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > -------------------------------------------------------
> > > > This sf.net email is sponsored by: Dice - The leading online job board for
> > > > high-tech professionals. Search and apply for tech jobs today!
> > > > http://seeker.dice.com/seeker.epl?rel_code=31
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > 
> > > 
> > > 
> > > 
> > > -------------------------------------------------------
> > > This sf.net email is sponsored by: Dice - The leading online job board
> > > for high-tech professionals. Search and apply for tech jobs today!
> > > http://seeker.dice.com/seeker.epl?rel_code=31
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> > -- 
> > Phil Wood, cpw at ...440...
> > 
> 

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list