[Snort-users] Ignoring Backups - TCP Stateful?

Doug Burks doug.burks at ...11827...
Thu Dec 4 08:22:53 EST 2014

Replies inline.

On Wed, Dec 3, 2014 at 7:12 PM, Colony.Three <Colony.Three at ...17037...> wrote:
>>> # Backups
>>> not(tcp src host and (tcp src port 8027))
>>> I think this should not log packets -from- the backups machine (.4)
>>> requesting the backup, but what about the responses? These will likely
>>> come
>>> back on different src and dst ports which there is no way of predicting.
>>> If
>>> packet capture for tcp is stateful, I should be OK. But somehow I doubt
>>> the
>>> various SecurityOnion apps assemble tcp packet streams statefully,
>>> real-time. I can see how to assemble them later for analysis, but not
>>> real-time.
>>> Is there a recommended way to -not- save backup packets to disk in this
>>> situation?
>> Have you seen the BPF page on our Wiki?
>> https://code.google.com/p/security-onion/wiki/BPF
>> There are some good examples there and also some good links on how to
> troubleshoot BPF using tcpdump.
> Sure, that was one of the first docs I read when setting up for Ignore of
> backups.
> But nothing addresses this issue of Ignoring whole TCP stateful sessions.
> It stands to reason that packet capture will collect anything not
> specifically Ignored, and there is no way to predict what src/dest ports
> that responses to the rsync command will come back on.
> I was hoping that someone had succeeded in excluding backups before, and had
> come up with a solution, as it is such an unnecessary waste of packet
> capture space.
> As SecurityOnion runs in a vbox VM, it's not practical to shut down the
> whole thing when it's time for (automatic) backups instigated by the backups
> server. (a whole 'nother machine)  Would I have to murder the VM with a cron
> job, and then restart it manually?  I don't like the idea of my IDS being
> down all Sunday.

No, I wouldn't recommend shutting your IDS down for a day either :)

Instead, simply write a cron job that would fire at the beginning of
your backup window that would put the BPF in place and restart the
appropriate services on the Security Onion VM (snort, netsniff-ng,
etc.).  Then write a second cron job that would fire at the end of
your backup window to remove the BPF and restart the appropriate

> In my case, the backups server calls rsync to backup the LAN machines
> (concurrently).  The rsync daemon is not used anywhere.

Can you provide more information about what the actual traffic flows
look like?  Perhaps some example traffic flows?

Would it help to simplify the BPF by removing "src"?  So something like this?

not(tcp host and tcp port 8027)

Doug Burks
Need Security Onion Training or Commercial Support?
Last day to register for 3-Day Training Class in Augusta GA is 12/11!

More information about the Snort-users mailing list