[Snort-users] tcpdump script

Leon Ward seclists at ...14165...
Thu Apr 9 04:50:05 EDT 2009


Hi

On Wed, Apr 8, 2009 at 3:23 PM, Jason Brvenik <jasonb at ...1935...> wrote:

> You are not using a unified output method? Blasphemy!


/me Hangs head in shame. I think we need to update the old saying,  "A
cobblers children has no shoes" [1] -> "A Sourcefire employee uses -A fast".

You are totally correct, and I have stood up and preached this message
myself enough times, especially while teaching Snort courses.

You should be using unified output and SnortUnified.pm :)


Correct, and rather than just share my fast output dependent swatch
foo(bar), I will update it to use unified2 and then distribute.

[1]
http://wiki.answers.com/Q/Origin_of_the_phrase_the_cobbler%27s_children_have_no_shoes

-Leon



>
>
> On Wed, Apr 8, 2009 at 9:14 AM, Leon Ward <seclists at ...14165...> wrote:
> > I use the fast output plugin, and swatch the alert file.
> >
> > -Leon
> >
> > On Wed, Apr 8, 2009 at 2:06 PM, Jack Pepper
> > <pepperjack at ...14319...> wrote:
> >>
> >> Quoting Leon Ward <seclists at ...14165...>:
> >>
> >>> The method I use is to keep a limited cache of network traffic via
> >>> tcpdump's
> >>> ringbuffer mode, a few 100MB of pcap data. When Snort raises an alert,
> a
> >>> process automatically kicks off that extracts the session that caused
> the
> >>> alert from the ringbuffer and stores it for prosperity.
> >>>
> >>> I have some working scripts that I could provide if anyone wants them,
> >>> but I
> >>> would have to censor them a bit before they can be shared. Let me know.
> >>
> >> I would be quite interested.  Are you hooking an output plugin for the
> >> trigger?
> >>
> >> jp
> >>
> >> --
> >>
> >> Framework?  I don't need no stinking framework!
> >>
> >> ----------------------------------------------------------------
> >> @fferent Security Labs:  Isolate/Insulate/Innovate
> >> http://www.afferentsecurity.com
> >>
> >
> >
> >
> ------------------------------------------------------------------------------
> > This SF.net email is sponsored by:
> > High Quality Requirements in a Collaborative Environment.
> > Download a free trial of Rational Requirements Composer Now!
> > http://p.sf.net/sfu/www-ibm-com
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090409/51d6441c/attachment.html>


More information about the Snort-users mailing list