[Snort-users] [Snort-Users] about capturing packets

Kevin Ross kevross33 at ...14012...
Tue Feb 14 03:38:38 EST 2012


Yes use daemonlogger. Also use openfpc (openfpc.org) to provide an
interface for that and use snorby too to tie it together with snort
alerting. Make sure you have plenty space (or roll over after a certain
amount). If you have the capacity to store it all and have an idea of why
you want to do this (do you want to carve all files out and automatically
process them for malicious artifacts, do you want to look at more detail
for events surrounding the attack which I guess you do etc). Hoping to
store all traffic however with the intention of just "looking through it"
for suspicious stuff would be a waste of your time without clues pointing
you to where you should look. I.e http://blog.damballa.com/?p=1113 :-)

I always hope that a happy middle ground would be reached that could
provide the packet capture for not only the alert but also surrounding
sessions between the client and the attacker (not using traffic tagging in
the rule options) and also all files related to it (EXEs, PDFs, Flash
content etc) so you had much better forensic data without having to give up
huge amounts of disk space to store it all....

Kind Regards,
Kevin Ross


On 14 February 2012 04:28, umakanta majhi <umakantmajhi at ...11827...> wrote:

> in ids mode snort alerts the packets as per the rules assigned and logs
> it. my  Q is , is it possible to capture all the packets including these
> alerted packets, separately
>
>
>
> On Mon, Feb 13, 2012 at 8:21 PM, Joel Esler <jesler at ...1935...> wrote:
>
>> I'm not clear what you mean by "effected" packets?
>>
>> Can you clarify here?
>>
>> --
>> Joel Esler
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire
>>
>> On Feb 13, 2012, at 2:14 AM, umakanta majhi wrote:
>>
>> hi all
>>
>> can any one tell how we can log both normal packets and effected packets
>> in IDS mode????
>>
>> --
>> To post to this group, send email to snortusers at ...14071...
>>
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>>
>>  --
>> To post to this group, send email to snortusers at ...14071...
>>
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>
>  --
> To post to this group, send email to snortusers at ...14071...
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120214/9f8b575a/attachment.html>


More information about the Snort-users mailing list