[Snort-users] tcpdump script

Leon Ward seclists at ...14165...
Wed Apr 8 05:03:38 EDT 2009


Hello.

I have limited storage available on the sensor that I run Snort on that
protects my live systems, but I still wanted more data available for
post-event detection analysis than what's contained in the event log.

The method I use is to keep a limited cache of network traffic via tcpdump's
ringbuffer mode, a few 100MB of pcap data. When Snort raises an alert, a
process automatically kicks off that extracts the session that caused the
alert from the ringbuffer and stores it for prosperity.

I find that this trade-off of storage vs traffic context works great for me.
I have a syn->fin pcap for every event i'm interested in without keeping
terabytes of traffic hanging around until I get round to  analysing an
event.

I have some working scripts that I could provide if anyone wants them, but I
would have to censor them a bit before they can be shared. Let me know.

-Leon

On Wed, Apr 8, 2009 at 1:25 AM, Nathaniel Richmond <
nate+snort at ...14258... <nate%2Bsnort at ...14258...>> wrote:

> Jefferson, Shawn wrote:
> > Hi,
> >
> > I wanted to run tcpdump to capture all traffic on my snort sensor,
> > so that if I want to go take a look at traffic based on snort alerts
> > I could get more context.  I've setup a couple of scripts to gzip
> > the packet captures and send them to a storage server.  My question
> > is about starting tcpdump itself.  I tried doing it in the same
> > script that starts snort and barnyard, but this didn't seem to work
> > and I think it's due to the fact that tcpdump needs to be run as
> > root (?).
> >
> > So, I've created a root cron job that runs every five minutes will
> > start tcpdump if it finds it not running (using "pidof tcpdump").
> >
>
> Have you looked at Sguil since it is designed with full packet
> capture in mind?
>
> It includes scripts that support either Snort in packet logging mode
> or daemonlogger (recommended) to capture traffic. You use cron to
> check partition usage and remove the old pcaps at whatever interval
> is appropriate.
>
> Sguil is designed to leave the pcaps on the sensor(s) and only
> retrieve the traffic that you want to look at. You use either an
> alert or session data as a starting point to tell Sguil what pcaps
> you want to retrieve and view either in ASCII or with a tool like
> Wireshark.
>
> www.sguil.net
> http://nsmwiki.org/Sguil
>
> > Not being a linux guru, is this the right way to approach this
> > problem?
> >
> > Thanks,
> > Shawn
> >
> >
> ------------------------------------------------------------------------------
> > This SF.net email is sponsored by:
> > High Quality Requirements in a Collaborative Environment.
> > Download a free trial of Rational Requirements Composer Now!
> >
> http://p.sf.net/sfu/www-ibm-com_______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> High Quality Requirements in a Collaborative Environment.
> Download a free trial of Rational Requirements Composer Now!
> http://p.sf.net/sfu/www-ibm-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090408/cd605958/attachment.html>


More information about the Snort-users mailing list