[Snort-users] simultaneous snort and tcpdump
bet at ...6163...
Thu Sep 26 14:17:02 EDT 2002
2002-09-26-16:47:40 Carl Gibbons:
> Okay, here's an example of what I'd like: for every snort alert,
> don't just save (into mmdd at ...3818...) the packet that caused
> the alert, but also save the ten preceeding and ten succeeding
> packets between the same hosts.
Sounds spiffy. Sounds like something that would require a fair
amount of additional code; I'm not sure how would be easiest to
craft that code.
> This is why I am running tcpdump and snort simultaneously.
If you've got the resources to take that approach, it's probably the
simplest approximation to implement.
> My question remains. Sorry, Jason, but your "RTFM" suggestion to
> craft a clever snort rule doesn't help.
Perhaps I misunderstood Jason, but I _think_ his suggestion is very
I took him to mean that it might be more efficient to use one snort
to do the job you're currently doing with snort + tcpdump. Rather
than running both snort and tcpdump, run just snort, and configure
the snort to log everything, by creating a rule that logs
everything. I think the canonical example might be
log any any any <> any any
although I'm not sure, as I haven't actually tried this.
If you don't need the alerts in real-time, another approach might be
to just use either snort or tcpdump as a pure packet capture to save
everything in a libpcap format file, then as you rotate logs, rotate
them clean off your capture sniffer to a log archival system, and
there run snort over them with -r.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the Snort-users