Snort mailing list archives
Re: NIDS + packet logging - only alert packets get logged
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 09 Mar 2016 12:41:01 -0700
Wiresharks dumpcap works well: /usr/local/bin/dumpcap -q -b filesize:409600 -b files:150 -Z none -f "tcp port 80" -i eth0 -w /home/pcaps/capture/webtraffic.pcap chops it up into 400 meg pieces and will auto-delete after 150 files. It's a little wonky with file deletion when you reboot, but other than that it works well enough. James On 2016-03-09 09:55, Rich Lee wrote:
Thanks all, so I have a few options: 1. run tcpdump for capture and snort in NIDS mode 2. run 2x snort instances, one in each mode I want 3. Kinda like tcpdump I've used netsniff-ng before for captures, as AFAIK it's more efficient using PF_RING to avoid userspace. The RedHat/Sguil link is brilliant. I'm off to investigate. Thanks again. On 09/03/16 16:47, Rodgers, Anthony (DTMB) wrote:Hi Rich, This solution (http://nsmwiki.org/index.php?title=Sguil_on_RedHat_HOWTO#On_your_server) which is basically the precursor to SecurityOnion calls for two instances of snort, one running in IDS mode, one running in packet logging mode. I don't think you can combine the two into one instance. -- Anthony Rodgers Security Analyst Michigan Security Operations Center (MiSOC) DTMB, Michigan Cyber Security -----Original Message----- From: Rich Lee [mailto:laughingblade () gmail com] Sent: Wednesday, March 09, 2016 11:15 To: Al Lewis (allewi) <allewi () cisco com> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] NIDS + packet logging - only alert packets get logged Thanks Al, that's useful info. As far as Security Onion goes I'm just reading the startup script... it looks like he runs netsniff-ng for packet capture, and then snort in NIDS mode. Cheers! Rich LEe On 09/03/16 15:58, Al Lewis (allewi) wrote:Sorry.. I have never used Security Onion. Based on the what I have seen in the manual you can do one or the other but not both at the same time. If you supply a conf snort goes into NIDS mode. Good luck! Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com -----Original Message----- From: Rich Lee [mailto:laughingblade () gmail com] Sent: Wednesday, March 09, 2016 10:49 AM To: Al Lewis (allewi) Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] NIDS + packet logging - only alert packets get logged Thanks Al. What I want to do is precisely *not* that: I want to run NIDS mode so I get alerts, and I also want to capture all packets. AFAIK SecurityOnion does this. On 09/03/16 15:35, Al Lewis (allewi) wrote:See the next page: "To enable Network Intrusion Detection System (NIDS) mode so that you don't record every single packet sent down the wire, try this: ./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf" http://manual.snort.org/node6.html Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com -----Original Message----- From: Al Lewis (allewi) Sent: Wednesday, March 09, 2016 10:32 AM To: 'Rich Lee' Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] NIDS + packet logging - only alert packets get logged If you are running in IDS mode (WITH a conf file) then ONLY the alert traffic is captured. If you run WITHOUT a conf file then ALL traffic is captured. I think you are trying to mix packet logger with NIDS mode. Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com -----Original Message----- From: Rich Lee [mailto:laughingblade () gmail com] Sent: Wednesday, March 09, 2016 9:47 AM To: snort-users () lists sourceforge net Subject: [Snort-users] NIDS + packet logging - only alert packets get logged Hi, newbie kind of Q I'm afraid: I'm running snort 2.9.8.0 & Barnyard2 in an Ubuntu 14.04 VM, set up according to Noah Dietrich's guide. I want to run snort as NIDS to alert, but also capture *all* packets. According to http://manual.snort.org/node5.html I should be good with './snort -l ./log -b' The command I'm running is './snort -c /pathto/snort.conf -i eth0 -l /pathto/log -b', and I'm seeing timestamped log files as expected, but only for alerts, not for other traffic... My understanding from the docs is that the command line log switch should log *all* packets, and output modules configured in snort.conf will log processed/detected alert packets. I've tried this with output module configured, and with no output modules at all - but snort continues to log only alerting packets. I've confirmed that there actually is other traffic to be captured by running wireshark alongside. Does the -l -b switch work? Am I possibly missing something obvious? TIA Rich Lee --------------------------------------------------------------------- - -------- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: NIDS + packet logging - only alert packets get logged, (continued)
- Re: NIDS + packet logging - only alert packets get logged Rich Lee (Mar 09)
- Re: NIDS + packet logging - only alert packets get logged Al Lewis (allewi) (Mar 09)
- Re: NIDS + packet logging - only alert packets get logged Rich Lee (Mar 09)
- Re: NIDS + packet logging - only alert packets get logged Carter Waxman (cwaxman) (Mar 09)
- Re: NIDS + packet logging - only alert packets get logged Joel Esler (jesler) (Mar 09)
- Re: NIDS + packet logging - only alert packets get logged Rich Lee (Mar 10)
- Re: NIDS + packet logging - only alert packets get logged Joel Esler (jesler) (Mar 10)
- Re: NIDS + packet logging - only alert packets getlogged Rich Lee (Mar 10)
- Re: NIDS + packet logging - only alert packets get logged Rich Lee (Mar 09)
- Re: NIDS + packet logging - only alert packets get logged Rodgers, Anthony (DTMB) (Mar 09)
- Re: NIDS + packet logging - only alert packets get logged Rich Lee (Mar 09)
- Re: NIDS + packet logging - only alert packets get logged James Lay (Mar 09)