[Snort-users] Tagging

Vivek Rajagopalan vivek at ...15649...
Sat May 24 09:57:16 EDT 2014


One free option you might want to try  is Trisul (trisul.org). This pulls
 together the alert-flows-packets workflow  at the UI. You can just  ask it
to give you a single PCAP containing all flows that generated a particular
alert.

It is basically a flow based packet retrieval system, but does it in bulk
instead of one by one. You can certainly hack the tools mentioned by Shawn
and add a bulk packet retrieval capability too.







On Fri, May 23, 2014 at 9:53 PM, Jefferson, Shawn <
Shawn.Jefferson at ...14448...> wrote:

> Personally, I think the only good "free" solution to this is combining
> Snort with some sort of full packet capture.  I personally use both
> streamDB and OpenFPC, and have hacked BASE to allow lookup to both of
> these.  Snorby can use both of them (although last I checked only one or
> the other) in a similar manner.
>
> -----Original Message-----
> From: Turnbough, Bradley E. [mailto:bturnbough at ...15650...]
> Sent: May 21, 2014 6:26 AM
> To: Snortusers
> Subject: Re: [Snort-users] Tagging
>
> Hi Matheus,
>
> I've asked almost this exact question before and didn't really receive a
> decent response.
>
> I have a sensor sitting in between my proxy and my internet connection.
>  The IDS alerts on various things, but it only provides the data that trips
> the alert.  It doesn't provide the preceeding 'x' number of packets that
> contain the metadata.  Makes it very difficult to troubleshoot if you can't
> determine the 'x-forwarded-for'.
>
>
> ________________________________
> From: Matheus Condi'ez [conma293 at ...11827...]
> Sent: Tuesday, May 20, 2014 11:07 PM
> To: Snortusers
> Subject: [Snort-users] Tagging
>
> Hey guys,
>
> Im beginning to muddle around with tagging, can seemingly get the rules to
> fire off quite easily and tag 'full' packets for x amount of time, bytes
> etc ...
>
> But then this gets lumped into the U2 files and processed by Barnyard2 -->
> what im wondering is how the packets in addition to the alerting packet get
> processed by BY2 output so that it would come up as the whole payload in a
> snorby or tripwire interface...
>
> any takers?
> _____________________________________________________________ This e-mail
> transmission contains information that is confidential and may be
> privileged. It is intended only for the addressee(s) named above. If you
> receive this e-mail in error, please do not read, copy or disseminate it in
> any manner. If you are not the intended recipient, any disclosure, copying,
> distribution or use of the contents of this information is prohibited.
> Please reply to the message immediately by informing the sender that the
> message was misdirected. After replying, please erase it from your computer
> system. Your assistance in correcting this error is appreciated.
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform
> available Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform
> available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140524/25c76898/attachment.html>


More information about the Snort-users mailing list