[Snort-users] Ignoring Backups - TCP Stateful?

Doug Burks doug.burks at ...11827...
Wed Dec 3 13:59:13 EST 2014

Hi colony.three,

Replies inline.

On Wed, Dec 3, 2014 at 11:53 AM, colony.three
<colony.three at ...17037...> wrote:
> Can anyone advise?
> -------- Original Message --------
> Subject: Ignoring Backups - TCP Stateful?
> Time (GMT): Nov 30 2014 17:26:14
> From: colony.three at ...17037...
> To: snort-users at lists.sourceforge.net
> Today is backups day.  I certainly can't be logging backup packets, because
> I have 10TB to back up and the SecurityOnion disk is only 100GB.  And
> there's no use in it anyway.  I need to Ignore this stream.
> So I've moved rsync backups of machines on my LAN to port 8027, so I can set
> bpf.conf to Ignore traffic on that port.  I wish I could set it to Ignore
> for a certain time period, but it seems that's not possible.

You could write a cron job that would fire at the beginning of your
backup window that would put the BPF in place and restart the
appropriate services.  Then write a second cron job that would fire at
the end of your backup window to remove the BPF and restart the
appropriate services.

> # Backups
> not(tcp src host and (tcp src port 8027))
> I think this should not log packets -from- the backups machine (.4)
> requesting the backup, but what about the responses?  These will likely come
> back on different src and dst ports which there is no way of predicting.  If
> packet capture for tcp is stateful, I should be OK.  But somehow I doubt the
> various SecurityOnion apps assemble tcp packet streams statefully,
> real-time.  I can see how to assemble them later for analysis, but not
> real-time.
> Is there a recommended way to -not- save backup packets to disk in this
> situation?

Have you seen the BPF page on our Wiki?

There are some good examples there and also some good links on how to
troubleshoot BPF using tcpdump.

Doug Burks
Need Security Onion Training or Commercial Support?
Last day to register for 3-Day Training Class in Augusta GA is 12/11!

More information about the Snort-users mailing list