Snort mailing list archives
Re: Traffic 'surrounding' an alert (was: Help needed: Performance ...)
From: Marc Dreher <MarcDreher () gmx net>
Date: Wed, 2 Jan 2002 19:13:23 +0100 (MET)
Hi Erek, thanks for your answers, they helped to get further on...
2) Also about IDS mode. Often I think it would be very usefull if I hadthetraffic preceeding and following an alert, and not only the packet which caused the alert. Fast logging format would be enough. Is there arecomended wayor possibility to achive this in IDS mode or do I have to run a second instance of snort for this (which wouldn't do performance to good Iguess) You can use tagging to do something like this. IIRC, you can't grab any 'before' the alert, but you can grab them after the alert. Check the archives[1] for the snort-dev list for a discussion on this. Search for Chris Green <cmg () uab edu>.
I found a few posts on tagging and the feature looks good. Allthough I am not sure if it is advisable to simple add tagging to every signature. The reason I want to caputre the whole traffic is, that if there is some kind of alert which requires further investigation the ability to pull the surrounding traffic might come in handy. Lately I read that "being able to pull all the traffic from a host is very valuable when doing analysis. If your IDS does not support this, beat on your vendor" ;-) As there is no beating needed in regard of snort my only problem is to find the best way to achive this from a performance point of view. As I will be having multiple sensors monitoring everything from quite 10MBit workgroup LANs to a rather busy 100Mbit Backbone I can (mostly) only have one machine doing the alerting in IDS mode and the complete (fast mode) traffic captureing as well. Is this practical at all? Has anybody gathered experience on this issue? Suggestions? Cheers Marc -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help needed: Performance Check & Traffic Capture Marc Dreher (Jan 01)
- Re: Help needed: Performance Check & Traffic Capture Erek Adams (Jan 01)
- Re: Help needed: Performance Check & Traffic Capture David Lambert (Jan 01)
- Re: Traffic 'surrounding' an alert (was: Help needed: Performance ...) Marc Dreher (Jan 02)
- Re: Traffic 'surrounding' an alert (was: Help needed: Performance ...) Chris Green (Jan 02)
- <Possible follow-ups>
- Re: Help needed: Performance Check & Traffic Capture Erek Adams (Jan 01)
- Re: Help needed: Performance Check & Traffic Capture David Lambert (Jan 01)
- Re: Help needed: Performance Check & Traffic Capture David Lambert (Jan 01)
- Re: Help needed: Performance Check & Traffic Capture Phil Wood (Jan 01)
- Re: Help needed: Performance Check & Traffic Capture David Lambert (Jan 02)
- Re: Help needed: Performance Check & Traffic Capture Marc Dreher (Jan 02)
- Re: Help needed: Performance Check & Traffic Capture Erek Adams (Jan 01)