[Snort-users] tcpdump script
nate+snort at ...14258...
Wed Apr 8 08:01:12 EDT 2009
Leon Ward wrote:
> I have limited storage available on the sensor that I run Snort on
> protects my live systems, but I still wanted more data available for
> post-event detection analysis than what's contained in the event
> The method I use is to keep a limited cache of network traffic via
> ringbuffer mode, a few 100MB of pcap data. When Snort raises an
> alert, a
> process automatically kicks off that extracts the session that
> caused the
> alert from the ringbuffer and stores it for prosperity.
Another option might be using a second system for packet capture or
capturing on one interface and sending it out another interface to a
system with more storage. Sguil supports keeping the packet logs on
a separate system from the one running Snort. If needed, you can
also use BPFs to reduce the amount of traffic captured.
> I find that this trade-off of storage vs traffic context works great
> for me.
> I have a syn->fin pcap for every event i'm interested in without
> terabytes of traffic hanging around until I get round to analysing
> I have some working scripts that I could provide if anyone wants
> them, but I
> would have to censor them a bit before they can be shared. Let me
This is definitely better than nothing, but Snort doesn't catch
everything so only capturing data related to alerts still leaves
room for improvement. Having session data plus packet captures has
helped me find plenty of activity that never alerted but was still
malicious. It also allows me to go through sessions to packet
captures before or after an alert to see how a system was
compromised, whether the alert was valid, get a better context, see
what an attacker or system did after being exploited, etc.
Don't get me wrong, I'm not saying you're doing it wrong, just
offering some other suggestions for you or others that are reading.
More information about the Snort-users