Snort mailing list archives
Re: Database plugin question
From: Phil Wood <cpw () lanl gov>
Date: Wed, 14 Aug 2002 17:31:24 -0600
On Wed, Aug 14, 2002 at 12:33:24PM -0500, Radu Brumariu wrote:
Yes, this is very close to what i thought. Acctually I have some trace files, that I want to filter through snort, but i need the database populated with all the packets found in the trace. that's because I want to initially remove some rules and then try to produce them , using some algorithm. I just need to run the algorithm on the whole database, ip or not ip, just everything that the nic will
what will be your variables, mac, frame size, and encapsulation? That's about the only thing ip and not ip have in common.
see. I am also considering modifying tcpdump so it will log to a database rather than flat file.
In your case, there are no rules, so you might get your process to log to a database without impacting the collection process. I would do database stuff after the fact. In my case, we have just too much traffic. If I enable database in snort (or in tcpdump assuming it existed), I would lose lots of packets. I'm running the full rules set as distributed (leaving the comment'd ones alone, so the pattern searching and other pre-processing cause some delay between each packet that can become a problem at higher packet rates). I'm already losing up to 500,000 on a daily basis while just using the -b option, 'cause I haven't removed some of the rules that, although they indicate someone is hacking, have no relation to our world (I'm on the outside of a firewall which drops these bad boys). I'm a believer in post processing. However, for a selected set of rules, ones that really mean that someone has just compromised an sshd with an as yet unknown vulnerability, I send a page the second it shows up in syslog (using the old tail -f syslog trick with a few heuristics thrown in so I don't get inundated). FYI, here is a summary of our traffic (not alerts, which are between 1 and 2 million every day), for the past few days. Each line represents about 24 hours of traffic. File packets pps seconds drops alerts 20020729.0000.stats 688687556 7976.81 86399 507263 1003325 20020730.0000.stats 643468531 7450.67 86398 257396 1059096 20020731.0000.stats 633146795 7328.38 86398 16330 969309 20020801.0000.stats 479954493 5555.10 86398 0 1034750 20020802.0000.stats 331885237 3841.31 86398 0 733700 20020805.0000.stats 589246551 6820.00 86399 0 1361559 20020806.0000.stats 637745363 7381.44 86398 1320 1333748 20020807.0000.stats 574851915 6653.70 86398 17523 1613854 20020808.0000.stats 609534381 7057.84 86398 254689 1252662 20020809.0000.stats 439044695 5081.59 86399 0 1629471 20020812.0000.stats 522056702 6042.34 86399 0 1333786
Let me know what you think. Thanks, Radu On Wed, 2002-08-14 at 16:31, Phil Wood wrote:On Wed, Aug 14, 2002 at 10:13:47AM -0500, Radu Brumariu wrote:Thanks, Jeffrey for the input. However, I would like snort to log _all_ the packets that it sees, including arp,igrp,gre, etc.I would use tcpdump for that: tcpdump -i eth0 -w pcapfile -s 1514 You can even feed that file into snort for analysis. Instead of -i, use -r pcapfile snort does not handle non ip packets. You could use snort to grab the ip packets with the rule supplied by Jeffrey, and you could use tcpdump at the same time to get all the non-ip packets with the following: tcpdump -i eth0 -w pcapfile -s 1514 not ipRadu On Wed, 2002-08-14 at 14:42, Dell, Jeffrey wrote:Use the rule: log ip any any <> any any This will log all ip packets. -----Original Message----- From: Radu Brumariu [mailto:brumariur () missouri edu] Sent: Wednesday, August 14, 2002 10:27 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Database plugin question Hi all, I would like to know if it is possible to trick snort into logging every packet that it sees to the database rather then log|alert? thanks, Radu ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Phil Wood, cpw () lanl gov
-- Phil Wood, cpw () lanl gov ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Database plugin question Radu Brumariu (Aug 14)
- <Possible follow-ups>
- RE: Database plugin question Kevin Brown (Aug 14)
- RE: Database plugin question Dell, Jeffrey (Aug 14)
- RE: Database plugin question Radu Brumariu (Aug 14)
- Re: Database plugin question hackerwacker (Aug 14)
- Re: Database plugin question Phil Wood (Aug 14)
- Re: Database plugin question Radu Brumariu (Aug 15)
- Re: Database plugin question Phil Wood (Aug 15)
- RE: Database plugin question Radu Brumariu (Aug 14)