Snort mailing list archives
RE: Cisco IDS
From: "Joe Patterson" <jpatterson () asgardgroup com>
Date: Wed, 19 Jan 2005 14:28:09 -0500
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Alex Butcher, ISC/ISYS Sent: Wednesday, January 19, 2005 10:49 AM To: John Hally; 'snort-users () lists sourceforge net' Subject: RE: [Snort-users] Cisco IDS
...
The cool thing about Sguil is the ability to pull up a pcap file for the particular event reported.The same can be done quite easily with ACID, if you're using a spool processor which respects tagged packets. FLoP, for instance, does this. I then wrote a small amount of PHP around the included 'getpacket' utility to retrieve all tagged packets that were related to the triggering packet.
The one flaw with this is that snort can't (and shouldn't!) retroactively tag packets. So you can only see the things that happen *after* a signature fires. If you want to see what happened leading up to a signature fire, then you need something like what sguil does. -Joe ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Cisco IDS, (continued)
- Re: Cisco IDS sp0ng3b0b (Jan 27)
- Re: Cisco IDS Dave Breiland (Jan 27)
- RE: Cisco IDS Theodore Stout (Jan 18)
- Re: Cisco IDS Alex Butcher, ISC/ISYS (Jan 17)
- RE: Cisco IDS John Hally (Jan 19)
- RE: Cisco IDS Alex Butcher, ISC/ISYS (Jan 19)
- Re: Cisco IDS Bamm Visscher (Jan 19)
- Re: Cisco IDS Jason Haar (Jan 20)
- RE: Cisco IDS John Hally (Jan 19)
- RE: Cisco IDS Alex Butcher, ISC/ISYS (Jan 19)
- RE: Cisco IDS Joe Patterson (Jan 19)
- RE: Cisco IDS Alex Butcher, ISC/ISYS (Jan 20)
- RE: Cisco IDS Alex Butcher, ISC/ISYS (Jan 19)