[Snort-users] Displaying few packets before a matched packet

Martin Holste mcholste at ...11827...
Fri Nov 18 12:19:00 EST 2011


Since this is about Bro, not Snort, I'll try to keep my comments very
brief here and note that the Bro user list should generally be used
for these questions.  That said, because Bro is such a great Snort
companion and therefore tangentially Snort-related, I'll refer to the
Bro quickstarts I have on my blog:

http://ossectools.blogspot.com/2011/08/monitoring-ssl-connections-with-bro.html
http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html

These were written for Ubuntu, but should be enough to get Bro up and
running and syslogging data to a central location for easy searching.
I highly recommend joining the Bro mailing list for further
clarification and assistance.

On Fri, Nov 18, 2011 at 10:05 AM, carlopmart <carlopmart at ...11827...> wrote:
> On 11/18/2011 04:22 PM, Martin Holste wrote:
>>> Hey everyone,
>>> I'm new to snort and was wondering if this is possible. Suppose a packet is
>>> matched by an alert rule, is it possible to make snort display few of the
>>> preceding packets as well?
>>
>> Not really, which is one of the reasons people run things like
>> daemonlogger.  We were just discussing alternatives last night with
>> things like URL logging.  Generally speaking, you should have
>> something doing general logging alongside Snort to provide context to
>> the alerts.  For general contextual information without the overhead
>> of full pcap, I recommend running Bro along with Snort.  It will
>> generically log connections, URL's, SMTP, SMTP entities, do full file
>> carving of HTTP/SMTP objects, etc.  That way when you get a Snort
>> alert, you can grep for the offending IP in your Bro logs to see what
>> it was up to.  There are many, many ways of doing this with other
>> solutions, this is just one example.
>>
>
> That's what I am searching for along time. I really like to do this with
> bro but is is terrible difficult to configure. Do you have some sample
> Martin, for example to log smtp and http requests??
>
>
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure
> contains a definitive record of customers, application performance,
> security threats, fraudulent activity, and more. Splunk takes this
> data and makes sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-novd2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>




More information about the Snort-users mailing list