[Snort-users] tcpdump script

Nigel Houghton nhoughton at ...1935...
Wed Apr 8 08:43:03 EDT 2009


On Wed, Apr 8, 2009 at 8:01 AM, Nathaniel Richmond
<nate+snort at ...14258...> wrote:
> Leon Ward wrote:

>> The method I use is to keep a limited cache of network traffic via
>> tcpdump's
>> ringbuffer mode, a few 100MB of pcap data. When Snort raises an
>> alert, a
>> process automatically kicks off that extracts the session that
>> caused the
>> alert from the ringbuffer and stores it for prosperity.
>>
>
> Another option might be using a second system for packet capture or
> capturing on one interface and sending it out another interface to a
> system with more storage. Sguil supports keeping the packet logs on
> a separate system from the one running Snort. If needed, you can
> also use BPFs to reduce the amount of traffic captured.
>
>> I find that this trade-off of storage vs traffic context works great
>> for me.
>> I have a syn->fin pcap for every event i'm interested in without
>> keeping
>> terabytes of traffic hanging around until I get round to  analysing
>> an
>> event.
>>
>> I have some working scripts that I could provide if anyone wants
>> them, but I
>> would have to censor them a bit before they can be shared. Let me
>> know.
>>
>
> This is definitely better than nothing, but Snort doesn't catch
> everything so only capturing data related to alerts still leaves
> room for improvement. Having session data plus packet captures has
> helped me find plenty of activity that never alerted but was still
> malicious. It also allows me to go through sessions to packet
> captures before or after an alert to see how a system was
> compromised, whether the alert was valid, get a better context, see
> what an attacker or system did after being exploited, etc.
>
> Don't get me wrong, I'm not saying you're doing it wrong, just
> offering some other suggestions for you or others that are reading.

Quoting Leon to make it clear what he actually stated:

"The method I use is to keep a limited cache of network traffic via
tcpdump's ringbuffer mode, a few 100MB of pcap data. When Snort raises
an alert, a process automatically kicks off that extracts the session
that caused the alert from the ringbuffer and stores it for
prosperity."

In short, Leon is not using Snort to grab the packets. He is getting
full session data for the event and IMNSHO he's doing it elegantly.

p.s. *Everyone* should have upgraded to Snort 2.8.4 already, if not, do it now.

--
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/




More information about the Snort-users mailing list