Snort mailing list archives
Re: simultaneous snort and tcpdump
From: Jason <security () brvenik com>
Date: Thu, 26 Sep 2002 22:56:36 -0400
Thanks to Todd for reading the true intent of the reply.For clarification. It was not a "RTFM" response rather a quick reply to point out that it can be done in an "elegant, efficient way" using the rule base. I have been on the road all week and probably should have just ignored the mail since I did not have the time to type a _proper_ reply. My Apologies ;-)
I read the statement "and I want to record other traffic as well" with the statement "Perhaps there's an elegant, efficient way to do so with a single snort process" to mean that you had some idea of the other traffic you are interested in, not that you want all traffic. With this I was thinking that you were interested in only logging certain types of traffic that meet definable criteria beyond what tcpdump is capable of. This is one of the many areas where snort is perfectly suited for the task.
For example, your site was recently found to be hosting warez that the recently terminated administrator has placed there and you want to know where else the warez might have been hidden. You are a university and cannot tell by the names of files provided for download what is warez and what is not and politically are prevented from just nuking questionable content.
In this case you might want to log multiple complete web sessions from a host when a single session starts out with a request that includes a referer with the word warez in it.
I know that there are other ways of doing the analysis on this specific scenario but it is easy to explain and should be illustrative of the concept.
> Oh, I see. Sorry for the misunderstanding. Though, I think pass > rules or other log rules might interfere with this, if I'm not > careful...You certainly have to pay attention to rule ordering and potential impact, if you are still concerned and need to accomplish a complicated selective logging implementation you could still run a seperate snort process with a seperate rule base analyzing the same traffic.
Jason.
Carl Gibbons wrote:
On Thu, 26 Sep 2002, Bennett Todd wrote:
Perhaps I misunderstood Jason, but I _think_ his suggestion is very
relevant.
I took him to mean that it might be more efficient to use one snort
to do the job you're currently doing with snort + tcpdump. Rather
than running both snort and tcpdump, run just snort, and configure
the snort to log everything, by creating a rule that logs
everything. I think the canonical example might be
log any any any <> any any
Oh, I see. Sorry for the misunderstanding. Though, I think pass
rules or other log rules might interfere with this, if I'm not
careful... Thanks for the explanation.
If you don't need the alerts in real-time, another approach might be
to just use either snort or tcpdump as a pure packet capture to save
everything in a libpcap format file, then as you rotate logs, rotate
them clean off your capture sniffer to a log archival system, and
there run snort over them with -r.
Wow, you're astute. I'm actually also trying to set up a SHADOW
IDS, and you've perfectly described SHADOW's architecture. I don't
yet have the SHADOW analyzer (you called it a log archival system)
working, and so I'm experimenting with getting snort working on the
SHADOW sensor machine (simultaneously with SHADOW's tcpdump) in the
meantime. - Carl
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- simultaneous snort and tcpdump Carl Gibbons (Sep 20)
- Re: simultaneous snort and tcpdump Bennett Todd (Sep 20)
- Re: simultaneous snort and tcpdump Gary Flynn (Sep 20)
- Re: simultaneous snort and tcpdump Carl Gibbons (Sep 21)
- Re: simultaneous snort and tcpdump Jason (Sep 22)
- Re: simultaneous snort and tcpdump Carl Gibbons (Sep 26)
- Re: simultaneous snort and tcpdump Bennett Todd (Sep 26)
- Re: simultaneous snort and tcpdump Carl Gibbons (Sep 26)
- Re: simultaneous snort and tcpdump Jason (Sep 26)
- Re: simultaneous snort and tcpdump Gary Flynn (Sep 20)
- Re: simultaneous snort and tcpdump Gary Flynn (Sep 26)
- Re: simultaneous snort and tcpdump Martin Roesch (Sep 26)
- Re: simultaneous snort and tcpdump Bennett Todd (Sep 20)