[Snort-users] simultaneous snort and tcpdump

Jason security at ...5028...
Thu Sep 26 19:55:02 EDT 2002


Thanks to Todd for reading the true intent of the reply.

For clarification. It was not a "RTFM" response rather a quick reply to 
point out that it can be done in an "elegant, efficient way" using the 
rule base. I have been on the road all week and probably should have 
just ignored the mail since I did not have the time to type a _proper_ 
reply. My Apologies ;-)

I read the statement "and I want to record other traffic as well" with 
the statement "Perhaps there's an elegant, efficient way to do so with a 
single snort process" to mean that you had some idea of the other 
traffic you are interested in, not that you want all traffic. With this 
I was thinking that you were interested in only logging certain types of 
traffic that meet definable criteria beyond what tcpdump is capable of. 
This is one of the many areas where snort is perfectly suited for the task.

For example, your site was recently found to be hosting warez that the 
recently terminated administrator has placed there and you want to know 
where else the warez might have been hidden. You are a university and 
cannot tell by the names of files provided for download what is warez 
and what is not and politically are prevented from just nuking 
questionable content.

In this case you might want to log multiple complete web sessions from a 
host when a single session starts out with a request that includes a 
referer with the word warez in it.

I know that there are other ways of doing the analysis on this specific 
scenario but it is easy to explain and should be illustrative of the 
concept.

 > Oh, I see.  Sorry for the misunderstanding.  Though, I think pass
 > rules or other log rules might interfere with this, if I'm not
 > careful...

You certainly have to pay attention to rule ordering and potential 
impact, if you are still concerned and need to accomplish a complicated 
selective logging implementation you could still run a seperate snort 
process with a seperate rule base analyzing the same traffic.

Jason.

> Carl Gibbons wrote:
>
> On Thu, 26 Sep 2002, Bennett Todd wrote:
> Perhaps I misunderstood Jason, but I _think_ his suggestion is very
> relevant.
>
> I took him to mean that it might be more efficient to use one snort
> to do the job you're currently doing with snort + tcpdump. Rather
> than running both snort and tcpdump, run just snort, and configure
> the snort to log everything, by creating a rule that logs
> everything. I think the canonical example might be
>
>     log any any any <> any any
>
> Oh, I see.  Sorry for the misunderstanding.  Though, I think pass
> rules or other log rules might interfere with this, if I'm not
> careful...  Thanks for the explanation.
> If you don't need the alerts in real-time, another approach might be
> to just use either snort or tcpdump as a pure packet capture to save
> everything in a libpcap format file, then as you rotate logs, rotate
> them clean off your capture sniffer to a log archival system, and
> there run snort over them with -r.
>
> Wow, you're astute.  I'm actually also trying to set up a SHADOW
> IDS, and you've perfectly described SHADOW's architecture.  I don't
> yet have the SHADOW analyzer (you called it a log archival system)
> working, and so I'm experimenting with getting snort working on the
> SHADOW sensor machine (simultaneously with SHADOW's tcpdump) in the
> meantime.  - Carl
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list