[Snort-users] Ignoring Backups - TCP Stateful?

Doug Burks doug.burks at ...11827...
Wed Dec 3 13:59:13 EST 2014


Hi colony.three,

Replies inline.

On Wed, Dec 3, 2014 at 11:53 AM, colony.three
<colony.three at ...17037...> wrote:
> Can anyone advise?
>
>
> -------- Original Message --------
> Subject: Ignoring Backups - TCP Stateful?
> Time (GMT): Nov 30 2014 17:26:14
> From: colony.three at ...17037...
> To: snort-users at lists.sourceforge.net
>
> Today is backups day.  I certainly can't be logging backup packets, because
> I have 10TB to back up and the SecurityOnion disk is only 100GB.  And
> there's no use in it anyway.  I need to Ignore this stream.
>
> So I've moved rsync backups of machines on my LAN to port 8027, so I can set
> bpf.conf to Ignore traffic on that port.  I wish I could set it to Ignore
> for a certain time period, but it seems that's not possible.

You could write a cron job that would fire at the beginning of your
backup window that would put the BPF in place and restart the
appropriate services.  Then write a second cron job that would fire at
the end of your backup window to remove the BPF and restart the
appropriate services.

> # Backups
> not(tcp src host 192.168.1.4 and (tcp src port 8027))
>
> I think this should not log packets -from- the backups machine (.4)
> requesting the backup, but what about the responses?  These will likely come
> back on different src and dst ports which there is no way of predicting.  If
> packet capture for tcp is stateful, I should be OK.  But somehow I doubt the
> various SecurityOnion apps assemble tcp packet streams statefully,
> real-time.  I can see how to assemble them later for analysis, but not
> real-time.
>
> Is there a recommended way to -not- save backup packets to disk in this
> situation?

Have you seen the BPF page on our Wiki?
https://code.google.com/p/security-onion/wiki/BPF

There are some good examples there and also some good links on how to
troubleshoot BPF using tcpdump.


-- 
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Last day to register for 3-Day Training Class in Augusta GA is 12/11!




More information about the Snort-users mailing list