[Snort-users] Tagging

Matheus Condi'ez conma293 at ...11827...
Wed May 21 18:16:03 EDT 2014


right what commercial product?

I just tested out the rule - it just gives me 2500 single events which if
pcap'd would be able to reassemble quite nicely, so snort/barnyard2 doesnt
have a tool to output/carve the pcaps ?


On Thu, May 22, 2014 at 5:30 AM, Joel Esler (jesler) <jesler at ...589...>wrote:

> The answer is, I don’t think there is an "open source” interface that
> correlates these events together.  Our commercial product does so, but I’m
> not aware of any GUI that takes the events and mashes them together.
>
>
> On May 21, 2014, at 6:25 AM, Turnbough, Bradley E. <bturnbough at ...15820....>
> wrote:
>
> > Hi Matheus,
> >
> > I've asked almost this exact question before and didn't really receive a
> decent response.
> >
> > I have a sensor sitting in between my proxy and my internet connection.
>  The IDS alerts on various things, but it only provides the data that trips
> the alert.  It doesn't provide the preceeding 'x' number of packets that
> contain the metadata.  Makes it very difficult to troubleshoot if you can't
> determine the 'x-forwarded-for'.
> >
> >
> > ________________________________
> > From: Matheus Condi'ez [conma293 at ...11827...]
> > Sent: Tuesday, May 20, 2014 11:07 PM
> > To: Snortusers
> > Subject: [Snort-users] Tagging
> >
> > Hey guys,
> >
> > Im beginning to muddle around with tagging, can seemingly get the rules
> to fire off quite easily and tag 'full' packets for x amount of time, bytes
> etc ...
> >
> > But then this gets lumped into the U2 files and processed by Barnyard2
> --> what im wondering is how the packets in addition to the alerting packet
> get processed by BY2 output so that it would come up as the whole payload
> in a snorby or tripwire interface...
> >
> > any takers?
> > _____________________________________________________________ This
> e-mail transmission contains information that is confidential and may be
> privileged. It is intended only for the addressee(s) named above. If you
> receive this e-mail in error, please do not read, copy or disseminate it in
> any manner. If you are not the intended recipient, any disclosure, copying,
> distribution or use of the contents of this information is prohibited.
> Please reply to the message immediately by informing the sender that the
> message was misdirected. After replying, please erase it from your computer
> system. Your assistance in correcting this error is appreciated.
> >
> >
> ------------------------------------------------------------------------------
> > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> > Instantly run your Selenium tests across 300+ browser/OS combos.
> > Get unparalleled scalability from the best Selenium testing platform
> available
> > Simple to use. Nothing to install. Get started now for free."
> > http://p.sf.net/sfu/SauceLabs
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform
> available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140522/e487b1d4/attachment.html>


More information about the Snort-users mailing list