[Snort-users] [Snort-Users] about capturing packets

Martin Holste mcholste at ...11827...
Tue Feb 14 09:57:46 EST 2012


> I always hope that a happy middle ground would be reached that could provide
> the packet capture for not only the alert but also surrounding sessions
> between the client and the attacker (not using traffic tagging in the rule
> options) and also all files related to it (EXEs, PDFs, Flash content etc) so
> you had much better forensic data without having to give up huge amounts of
> disk space to store it all....

That's exactly what streamdb.googlecode.com does, like this:

http://streamdb/?srcip=1.1.1.1&dstip=2.2.2.2&filetype=executable

or filetype=pdf, etc.  It will handle all of the HTTP
gunzipping/dechunking, and the runs a file magic on the HTTP response
payload.  It will then provide a distinct object id (oid) for the
extracted object so you can refer to it directly, (even when there are
many objects in the same TCP flow) which is great for attaching to
tickets or putting into sandbox submission scripts.  It also allows
for PCRE searches (&pcre=) and uses OpenFPC-compatible URI patterns so
it can be a drop-in replacement for any OpenFPC installation.  Another
important difference is that it has a configurable limit on how much
of the flow to capture, (one megabyte by default) which will greatly
improve the utility of your disk.

It does all of this in less than one second even on a 10 TB data
store, because the flows themselves are indexed by IP and timestamp.

We run full pcap alongside StreamDB and almost never need to go back
and wait around to grab pcap.




More information about the Snort-users mailing list