Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Displaying few packets before a matched packet

From: carlopmart <carlopmart () gmail com>
Date: Fri, 18 Nov 2011 17:05:57 +0100
On 11/18/2011 04:22 PM, Martin Holste wrote:

Hey everyone,
I'm new to snort and was wondering if this is possible. Suppose a packet is
matched by an alert rule, is it possible to make snort display few of the
preceding packets as well?


Not really, which is one of the reasons people run things like
daemonlogger.  We were just discussing alternatives last night with
things like URL logging.  Generally speaking, you should have
something doing general logging alongside Snort to provide context to
the alerts.  For general contextual information without the overhead
of full pcap, I recommend running Bro along with Snort.  It will
generically log connections, URL's, SMTP, SMTP entities, do full file
carving of HTTP/SMTP objects, etc.  That way when you get a Snort
alert, you can grep for the offending IP in your Bro logs to see what
it was up to.  There are many, many ways of doing this with other
solutions, this is just one example.



That's what I am searching for along time. I really like to do this with 
bro but is is terrible difficult to configure. Do you have some sample 
Martin, for example to log smtp and http requests??


-- 
CL Martinez
carlopmart {at} gmail {d0t} com

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: