[Snort-users] simultaneous snort and tcpdump

Bennett Todd bet at ...6163...
Thu Sep 26 14:17:02 EDT 2002


2002-09-26-16:47:40 Carl Gibbons:
> Okay, here's an example of what I'd like:  for every snort alert,
> don't just save (into mmdd at ...3818...) the packet that caused
> the alert, but also save the ten preceeding and ten succeeding
> packets between the same hosts.

Sounds spiffy. Sounds like something that would require a fair
amount of additional code; I'm not sure how would be easiest to
craft that code.

> This is why I am running tcpdump and snort simultaneously.

If you've got the resources to take that approach, it's probably the
simplest approximation to implement.

> My question remains.  Sorry, Jason, but your "RTFM" suggestion to
> craft a clever snort rule doesn't help.

Perhaps I misunderstood Jason, but I _think_ his suggestion is very
relevant.

I took him to mean that it might be more efficient to use one snort
to do the job you're currently doing with snort + tcpdump. Rather
than running both snort and tcpdump, run just snort, and configure
the snort to log everything, by creating a rule that logs
everything. I think the canonical example might be

	log any any any <> any any

although I'm not sure, as I haven't actually tried this.

If you don't need the alerts in real-time, another approach might be
to just use either snort or tcpdump as a pure packet capture to save
everything in a libpcap format file, then as you rotate logs, rotate
them clean off your capture sniffer to a log archival system, and
there run snort over them with -r.

-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020926/760ba2e2/attachment.sig>


More information about the Snort-users mailing list