[Snort-users] Traffic 'surrounding' an alert (was: Help needed: Performance ...)

Chris Green cmg at ...671...
Wed Jan 2 12:02:08 EST 2002

Marc Dreher <MarcDreher at ...158...> writes:

> Hi Erek,
> I found a few posts on tagging and the feature looks good. Allthough I am
> not sure if it is advisable to simple add tagging to every signature. 

Only on signatures that you really care about.  In my environment I
use it to determine if exploits were successful or not ( if they don't
have a simple "match a attack.response" rule for 50mbit of traffic.

>  The reason I want to caputre the whole traffic is, that if there is
> some kind of alert which requires further investigation the ability
> to pull the surrounding traffic might come in handy. Lately I read
> that "being able to pull all the traffic from a host is very
> valuable when doing analysis. If your IDS does not support this,
> beat on your vendor" ;-) As there is no beating needed in regard of
> snort my only problem is to find the best way to achive this from a
> performance point of view. As I will be having multiple sensors
> monitoring everything from quite 10MBit workgroup LANs to a rather
> busy 100Mbit Backbone I can (mostly) only have one machine doing the
> alerting in IDS mode and the complete (fast mode) traffic captureing
> as well. Is this practical at all? Has anybody gathered experience
> on this issue?  Suggestions?

Quite frankly, I think not getting the extra data wastes a lot of time
having to walk admins through "is your machine patched" when you are
dealing with anything other than a small lan and you can know what
services are running.

I have 1 machine doing binary and fast mode logging with not too big
of a problem.  The main trick is to choose rules that you care about
and avoid any any -> any any rules ( mainly the shellcode rules )
except on ports you'd expect them on.

It's not perfect unfortuatenly but IDS, if it caputures real hacks,
has already shown you that its not a perfect world. 
Chris Green <cmg at ...671...>
Fame may be fleeting but obscurity is forever.

More information about the Snort-users mailing list