Snort mailing list archives
Re: Getting more context in snort alerts.
From: Edward Fjellskål <edwardfjellskaal () gmail com>
Date: Tue, 11 Jan 2011 15:21:08 +0100
I wrote a tool to look for files on the wire... nftracker... Leon Ward implemented the parser for it in OpenFPC, to they should work nice together now.. nftracker was just for phun, using snort/suricata and writing rules to find files over the wire will probably be much faster :) My blogs about carving and pcaps here: http://www.gamelinux.org/?s=carve I learned about a new tool today from the cisco blog, http://code.google.com/p/nfex/ And I was thinking of forking and fixing tcpxtract, and somebody all ready did it :) Time saved...
I am wanting to do this. Using a tool like tcpxtract or another tool pull out certain files and have them automatically get scanned using various tools, (Clamav with custom sigs, jsunpack perhaps, yara etc). Then have the files moved over for further automated analysis while ones which did not fire anything useful are removed. Sure it will miss stuff but I think it may work well in picking up some stuff, especially if the intitial checks picks out not just 100% malicious but suspicious stuff as well.
Ive looked into this for some time, and made proof of concepts doing this... I have started a project to do this and lots more. I have lots of thoughts on the subject, and if you want to discuss it head over to #nsmframework on Freenode if you are IRCing :) E
On 10 January 2011 18:00, sudhakar govindavajhala <sudhakarg79spam () gmail com> wrote:Hi Snort folks, When Snort identifies something as an attack, it currently only shows me the single packet that triggered the alarm. It does not show me enough context to make an informed decision. Do you have any suggestions on how I could get more context? Is this something that Snort supports relatively out of the box or do I have to write lots of code? A silly option would be to use tcpdump to log all packets and then search the logs. Is there a better approach? Thanks, Sudhakar. ------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Edward Bjarte Fjellskål Senior Security Analyst http://www.gamelinux.org/ ------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Getting more context in snort alerts. sudhakar govindavajhala (Jan 10)
- Re: Getting more context in snort alerts. Richard Bejtlich (Jan 10)
- Re: Getting more context in snort alerts. beenph (Jan 10)
- Re: Getting more context in snort alerts. Edward Fjellskål (Jan 10)
- searching for " in content Don Florence (Jan 10)
- Re: searching for " in content Alex Kirk (Jan 10)
- Re: Getting more context in snort alerts. Jefferson, Shawn (Jan 10)
- Re: Getting more context in snort alerts. Martin Holste (Jan 10)
- Re: Getting more context in snort alerts. Kevin Ross (Jan 11)
- Re: Getting more context in snort alerts. Edward Fjellskål (Jan 11)
- Re: Getting more context in snort alerts. Richard Bejtlich (Jan 10)