Snort mailing list archives
Re: Displaying few packets before a matched packet
From: carlopmart <carlopmart () gmail com>
Date: Fri, 18 Nov 2011 17:05:57 +0100
On 11/18/2011 04:22 PM, Martin Holste wrote:
Hey everyone, I'm new to snort and was wondering if this is possible. Suppose a packet is matched by an alert rule, is it possible to make snort display few of the preceding packets as well?Not really, which is one of the reasons people run things like daemonlogger. We were just discussing alternatives last night with things like URL logging. Generally speaking, you should have something doing general logging alongside Snort to provide context to the alerts. For general contextual information without the overhead of full pcap, I recommend running Bro along with Snort. It will generically log connections, URL's, SMTP, SMTP entities, do full file carving of HTTP/SMTP objects, etc. That way when you get a Snort alert, you can grep for the offending IP in your Bro logs to see what it was up to. There are many, many ways of doing this with other solutions, this is just one example.
That's what I am searching for along time. I really like to do this with bro but is is terrible difficult to configure. Do you have some sample Martin, for example to log smtp and http requests?? -- CL Martinez carlopmart {at} gmail {d0t} com ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Displaying few packets before a matched packet Arvind S Raj (Nov 18)
- Re: Displaying few packets before a matched packet Martin Holste (Nov 18)
- Re: Displaying few packets before a matched packet carlopmart (Nov 18)
- Re: Displaying few packets before a matched packet Martin Holste (Nov 18)
- Re: Displaying few packets before a matched packet carlopmart (Nov 18)
- Re: Displaying few packets before a matched packet Martin Holste (Nov 18)