Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NIDS + packet logging - only alert packets get logged

From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 09 Mar 2016 12:41:01 -0700
Wiresharks dumpcap works well:

/usr/local/bin/dumpcap -q -b filesize:409600 -b files:150 -Z none -f 
"tcp port 80" -i eth0 -w /home/pcaps/capture/webtraffic.pcap

chops it up into 400 meg pieces and will auto-delete after 150 files.  
It's a little wonky with file deletion when you reboot, but other than 
that it works well enough.

James

On 2016-03-09 09:55, Rich Lee wrote:

Thanks all,

so I have a few options:
1. run tcpdump for capture and snort in NIDS mode
2. run 2x snort instances, one in each mode I want
3. Kinda like tcpdump I've used netsniff-ng before for captures, as
AFAIK it's more efficient using PF_RING to avoid userspace.

The RedHat/Sguil link is brilliant.

I'm off to investigate. Thanks again.

On 09/03/16 16:47, Rodgers, Anthony (DTMB) wrote:

Hi Rich,

This solution 
(http://nsmwiki.org/index.php?title=Sguil_on_RedHat_HOWTO#On_your_server) 
which is basically the precursor to SecurityOnion calls for two 
instances of snort, one running in IDS mode, one running in packet 
logging mode. I don't think you can combine the two into one instance.

--
Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)
DTMB, Michigan Cyber Security

-----Original Message-----
From: Rich Lee [mailto:laughingblade () gmail com]
Sent: Wednesday, March 09, 2016 11:15
To: Al Lewis (allewi) <allewi () cisco com>
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] NIDS + packet logging - only alert packets 
get logged

Thanks Al,

that's useful info.

As far as Security Onion goes I'm just reading the startup script... 
it looks like he runs netsniff-ng for packet capture, and then snort 
in NIDS mode.

Cheers!

Rich LEe

On 09/03/16 15:58, Al Lewis (allewi) wrote:

Sorry.. I have never used Security Onion.

Based on the what I have seen in the manual you can do one or the 
other but not both at the same time.

If you supply a conf snort goes into NIDS mode.

Good luck!

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com


-----Original Message-----
From: Rich Lee [mailto:laughingblade () gmail com]
Sent: Wednesday, March 09, 2016 10:49 AM
To: Al Lewis (allewi)
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] NIDS + packet logging - only alert packets
get logged

Thanks Al. What I want to do is precisely *not* that: I want to run 
NIDS mode so I get alerts, and I also want to capture all packets. 
AFAIK SecurityOnion does this.

On 09/03/16 15:35, Al Lewis (allewi) wrote:

See the next page:

"To enable Network Intrusion Detection System (NIDS) mode so that 
you don't record every single packet sent down the wire, try this:   
  ./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf"

http://manual.snort.org/node6.html




Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com


-----Original Message-----
From: Al Lewis (allewi)
Sent: Wednesday, March 09, 2016 10:32 AM
To: 'Rich Lee'
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] NIDS + packet logging - only alert 
packets
get logged

If you are running in IDS mode (WITH a conf file)  then ONLY the 
alert traffic is captured.

If you run WITHOUT a conf file then ALL traffic is captured.

I think you are trying to mix packet logger with NIDS mode.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

-----Original Message-----
From: Rich Lee [mailto:laughingblade () gmail com]
Sent: Wednesday, March 09, 2016 9:47 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] NIDS + packet logging - only alert packets 
get
logged

Hi,

newbie kind of Q I'm afraid:

I'm running snort 2.9.8.0 & Barnyard2 in an Ubuntu 14.04 VM, set up 
according to Noah Dietrich's guide.

I want to run snort as NIDS to alert, but also capture *all* 
packets.
According to http://manual.snort.org/node5.html I should be good 
with './snort -l ./log -b'

The command I'm running is './snort -c /pathto/snort.conf -i eth0 -l 
/pathto/log -b', and I'm seeing timestamped log files as expected, 
but only for alerts, not for other traffic...

My understanding from the docs is that the command line log switch 
should log *all* packets, and output modules configured in 
snort.conf will log processed/detected alert packets. I've tried 
this with output module configured, and with no output modules at 
all - but snort continues to log only alerting packets. I've 
confirmed that there actually is other traffic to be captured by 
running wireshark alongside.

Does the -l -b switch work? Am I possibly missing something obvious?

TIA
Rich Lee

---------------------------------------------------------------------
-
--------
Transform Data into Opportunity.
Accelerate data analysis in your applications with Intel Data 
Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest 
Snort news!


------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with Intel Data 
Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest 
Snort news!



------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest 
Snort news!


------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: