[Snort-users] getting a full copy of pcap for forensic purpose from Snort

Long, Kerry S kslong at ...312...
Thu Mar 20 09:48:14 EDT 2014

I looked at daemonlogger before.  I looked kind of cool.  Not sure how I get it to listen to the interface to dump packets, while at the same time feeding snort with it in real time. I could have both Snort and daemonlogger read from the same interface. However, I have been cautioned by others and seen it myself that having 2 processes listening to the same interface at the same time can cause competition which can cause packet loss for one or both of the listening processes.  So I don't know if it is permissible to have  both processes listening on the interface at the same time.  Won't that just guarantee packet loss or is this not as much of concern anymore with multiple core machines?



From: Joel Esler (jesler) [mailto:jesler at ...589...]
Sent: Thursday, March 20, 2014 9:38 AM
To: Long, Kerry S
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] getting a full copy of pcap for forensic purposes from Snort

On Mar 20, 2014, at 9:26 AM, Long, Kerry S <kslong at ...312...<mailto:kslong at ...312...>> wrote:

I am trying to create a sensor with Snort that has Snort listening on the interface processing rules and such while also creating a full copy of pcap seen on the interface for forensic purposes.  I have enough storage to hold about a month of pcap in this instance.  I am familiar with the capability of using a log rule to log packets but the problem is that the pcap has to go through all the alert rules first it seems before it can be logged.  The problem is that packets can be dropped as the amount of network traffic increases during the day.

I have tried using this in my config file to alleviate the problem:

# Per Packet latency configuration

config ppm: max-pkt-time 100, \

   fastpath-expensive-packets, \


and this has helped somewhat but I am still not logging some packets (which for a forensic record is bad) and I am missing the benefit of several snort rules that take more than 100 usecs.

Any ideas how I can get Snort to both log all packets to disk and alert on traffic it sees on the interface.

Daemonlogger is probably better for simply logging packets to disk, as it has some capabilities that Snort does not:


That way Snort can perform the IDS function and Daemonlogger can perform the traffic logging function.

Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140320/5de3567d/attachment.html>

More information about the Snort-users mailing list