[Snort-users] tcpdump script

Leon Ward seclists at ...14165...
Wed Apr 8 09:14:45 EDT 2009


I use the fast output plugin, and swatch the alert file.

-Leon

On Wed, Apr 8, 2009 at 2:06 PM, Jack Pepper <pepperjack at ...14319...
> wrote:

> Quoting Leon Ward <seclists at ...14165...>:
>
>  The method I use is to keep a limited cache of network traffic via
>> tcpdump's
>> ringbuffer mode, a few 100MB of pcap data. When Snort raises an alert, a
>> process automatically kicks off that extracts the session that caused the
>> alert from the ringbuffer and stores it for prosperity.
>>
>> I have some working scripts that I could provide if anyone wants them, but
>> I
>> would have to censor them a bit before they can be shared. Let me know.
>>
>
> I would be quite interested.  Are you hooking an output plugin for the
> trigger?
>
> jp
>
> --
>
> Framework?  I don't need no stinking framework!
>
> ----------------------------------------------------------------
> @fferent Security Labs:  Isolate/Insulate/Innovate
> http://www.afferentsecurity.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090408/d91eeb93/attachment.html>


More information about the Snort-users mailing list