Snort mailing list archives
Re: getting a full copy of pcap for forensic purposes from Snort
From: Y M <snort () outlook com>
Date: Thu, 20 Mar 2014 16:42:09 +0300
Hi Kerry, I would go with something like daemon logger or netsniff-Ng for full packet captures. Reliefs the overhead from Snort as it may start dropping packets. Thanks YM Sent from Mobile ________________________________ From: Long, Kerry S<mailto:kslong () mitre org> Sent: 3/20/2014 4:27 PM To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: [Snort-users] getting a full copy of pcap for forensic purposes from Snort I am trying to create a sensor with Snort that has Snort listening on the interface processing rules and such while also creating a full copy of pcap seen on the interface for forensic purposes. I have enough storage to hold about a month of pcap in this instance. I am familiar with the capability of using a log rule to log packets but the problem is that the pcap has to go through all the alert rules first it seems before it can be logged. The problem is that packets can be dropped as the amount of network traffic increases during the day. I have tried using this in my config file to alleviate the problem: # Per Packet latency configuration config ppm: max-pkt-time 100, \ fastpath-expensive-packets, \ pkt-log and this has helped somewhat but I am still not logging some packets (which for a forensic record is bad) and I am missing the benefit of several snort rules that take more than 100 usecs. Any ideas how I can get Snort to both log all packets to disk and alert on traffic it sees on the interface. Thanks, Kerry
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- getting a full copy of pcap for forensic purposes from Snort Long, Kerry S (Mar 20)
- Re: getting a full copy of pcap for forensic purposes from Snort Joel Esler (jesler) (Mar 20)
- <Possible follow-ups>
- Re: getting a full copy of pcap for forensic purposes from Snort Y M (Mar 20)
- Message not available