[Snort-users] tcpdump script

Will Metcalf william.metcalf at ...11827...
Wed Apr 8 13:55:31 EDT 2009


Here is my crappy little perl script to accomplish this, that uses another
crappy little perl script... ;-)...

http://node5.blogspot.com/2009/04/small-update-to-pcapparser.html

Regards,

Will

On Wed, Apr 8, 2009 at 12:22 PM, Nathaniel Richmond <
nate+snort at ...14258... <nate%2Bsnort at ...14258...>> wrote:

> Nigel Houghton wrote:
>
> > Quoting Leon to make it clear what he actually stated:
> >
> > "The method I use is to keep a limited cache of network traffic via
> > tcpdump's ringbuffer mode, a few 100MB of pcap data. When Snort
> > raises
> > an alert, a process automatically kicks off that extracts the
> > session
> > that caused the alert from the ringbuffer and stores it for
> > prosperity."
> >
> > In short, Leon is not using Snort to grab the packets. He is getting
> > full session data for the event and IMNSHO he's doing it elegantly.
> >
> > p.s. *Everyone* should have upgraded to Snort 2.8.4 already, if not,
> > do it now.
> >
>
> Nigel, I understand. I was trying to point out that there can be
> value in capturing more sessions than just the one that triggered
> the alert.
>
> The Snort 2.8.4 upgrade process was relatively painless.
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> High Quality Requirements in a Collaborative Environment.
> Download a free trial of Rational Requirements Composer Now!
> http://p.sf.net/sfu/www-ibm-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090408/b6592bfe/attachment.html>


More information about the Snort-users mailing list