[Snort-users] Traffic 'surrounding' an alert (was: Help needed: Performance ...)

Marc Dreher MarcDreher at ...158...
Wed Jan 2 10:14:15 EST 2002

Hi Erek,

thanks for your answers, they helped to get further on...

> > 2) Also about IDS mode. Often I think it would be very usefull if I had
> the
> > traffic preceeding and following an alert, and not only the packet which
> > caused the alert. Fast logging format would be enough. Is there a
> recomended way
> > or possibility to achive this in IDS mode or do I have to run a second
> > instance of snort for this (which wouldn't do performance to good I
> guess)
> You can use tagging to do something like this.  IIRC, you can't grab any
> 'before' the alert, but you can grab them after the alert.  Check the
> archives[1] for the snort-dev list for a discussion on this.  Search for
> Chris
> Green <cmg at ...671...>.

I found a few posts on tagging and the feature looks good. Allthough I am
not sure if it is advisable to simple add tagging to every signature. 
The reason I want to caputre the whole traffic is, that if there is some
kind of alert which requires further investigation the ability to pull the
surrounding traffic might come in handy. Lately I read that "being able to pull
all the traffic from a host is very valuable when doing analysis. If your IDS
does not support this, beat on your vendor" ;-)
As there is no beating needed in regard of snort my only problem is to find
the best way to achive this from a performance point of view. As I will be
having multiple sensors monitoring everything from quite 10MBit workgroup LANs
to a rather busy 100Mbit Backbone I can (mostly) only have one machine doing
the alerting in IDS mode and the complete (fast mode) traffic captureing as
well. Is this practical at all? Has anybody gathered experience on this issue?


GMX - Die Kommunikationsplattform im Internet.

More information about the Snort-users mailing list