Snort mailing list archives
Re: getting a full copy of pcap for forensic purposes from Snort
From: Y M <snort () outlook com>
Date: Thu, 20 Mar 2014 15:40:51 +0000
We had a sensor that ran both Snort and Daemonlogger on the same box for a while and we did not notice any increased packet drops from Snort perspective, but that was a while ago. The transparent mode on which you are running PF_RING will largely affect what full packet capture tool you will use. YM From: kslong () mitre org To: snort () outlook com Subject: RE: [Snort-users] getting a full copy of pcap for forensic purposes from Snort Date: Thu, 20 Mar 2014 15:02:46 +0000 Makes sense. I am just not sure how I get Snort to see all the packets also if I have daemon logger listening and grabbing packets off the interface. If you are using PF_Ring for the interface, like a lot of us do, There is a real danger that PF_ring will overwrite a packet with a new packet once a process reads from the ring. If Daemonlogger is quicker, which I assume it would be, Snort may not get the chance to read all the packets off the ring. Kerry From: Y M [mailto:snort () outlook com] Sent: Thursday, March 20, 2014 9:42 AM To: Long, Kerry S Cc: Snort-users Subject: RE: [Snort-users] getting a full copy of pcap for forensic purposes from Snort Hi Kerry, I would go with something like daemon logger or netsniff-Ng for full packet captures. Reliefs the overhead from Snort as it may start dropping packets. Thanks YM Sent from Mobile From: Long, Kerry S Sent: 3/20/2014 4:27 PM To: snort-users () lists sourceforge net Subject: [Snort-users] getting a full copy of pcap for forensic purposes from Snort I am trying to create a sensor with Snort that has Snort listening on the interface processing rules and such while also creating a full copy of pcap seen on the interface for forensic purposes. I have enough storage to hold about a month of pcap in this instance. I am familiar with the capability of using a log rule to log packets but the problem is that the pcap has to go through all the alert rules first it seems before it can be logged. The problem is that packets can be dropped as the amount of network traffic increases during the day. I have tried using this in my config file to alleviate the problem: # Per Packet latency configuration config ppm: max-pkt-time 100, \ fastpath-expensive-packets, \ pkt-log and this has helped somewhat but I am still not logging some packets (which for a forensic record is bad) and I am missing the benefit of several snort rules that take more than 100 usecs. Any ideas how I can get Snort to both log all packets to disk and alert on traffic it sees on the interface. Thanks, Kerry
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- getting a full copy of pcap for forensic purposes from Snort Long, Kerry S (Mar 20)
- Re: getting a full copy of pcap for forensic purposes from Snort Joel Esler (jesler) (Mar 20)
- <Possible follow-ups>
- Re: getting a full copy of pcap for forensic purposes from Snort Y M (Mar 20)
- Message not available
- Re: getting a full copy of pcap for forensic purposes from Snort Y M (Mar 20)
- Message not available