Snort mailing list archives
Re: Getting more context in snort alerts.
From: Kevin Ross <kevross33 () googlemail com>
Date: Tue, 11 Jan 2011 13:47:53 +0000
Also if you get the PCAPs you can do network file carving http://blogs.cisco.com/security/network-based-file-carving/. I am wanting to do this. Using a tool like tcpxtract or another tool pull out certain files and have them automatically get scanned using various tools, (Clamav with custom sigs, jsunpack perhaps, yara etc). Then have the files moved over for further automated analysis while ones which did not fire anything useful are removed. Sure it will miss stuff but I think it may work well in picking up some stuff, especially if the intitial checks picks out not just 100% malicious but suspicious stuff as well. On 10 January 2011 18:00, sudhakar govindavajhala <sudhakarg79spam () gmail com
wrote:
Hi Snort folks, When Snort identifies something as an attack, it currently only shows me the single packet that triggered the alarm. It does not show me enough context to make an informed decision. Do you have any suggestions on how I could get more context? Is this something that Snort supports relatively out of the box or do I have to write lots of code? A silly option would be to use tcpdump to log all packets and then search the logs. Is there a better approach? Thanks, Sudhakar. ------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Getting more context in snort alerts. sudhakar govindavajhala (Jan 10)
- Re: Getting more context in snort alerts. Richard Bejtlich (Jan 10)
- Re: Getting more context in snort alerts. beenph (Jan 10)
- Re: Getting more context in snort alerts. Edward Fjellskål (Jan 10)
- searching for " in content Don Florence (Jan 10)
- Re: searching for " in content Alex Kirk (Jan 10)
- Re: Getting more context in snort alerts. Jefferson, Shawn (Jan 10)
- Re: Getting more context in snort alerts. Martin Holste (Jan 10)
- Re: Getting more context in snort alerts. Kevin Ross (Jan 11)
- Re: Getting more context in snort alerts. Edward Fjellskål (Jan 11)
- Re: Getting more context in snort alerts. Richard Bejtlich (Jan 10)