[Snort-users] tcpdump script

Jack Pepper pepperjack at ...14319...
Wed Apr 8 09:06:46 EDT 2009


Quoting Leon Ward <seclists at ...14165...>:

> The method I use is to keep a limited cache of network traffic via tcpdump's
> ringbuffer mode, a few 100MB of pcap data. When Snort raises an alert, a
> process automatically kicks off that extracts the session that caused the
> alert from the ringbuffer and stores it for prosperity.
>
> I have some working scripts that I could provide if anyone wants them, but I
> would have to censor them a bit before they can be shared. Let me know.

I would be quite interested.  Are you hooking an output plugin for the  
trigger?

jp

-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com





More information about the Snort-users mailing list