Hosting Provided By

[Snort-users] "Saving State" in Snort

From: Michael L. Artz <dragon(at)october29.net>
Date: Sun Mar 30 2003 - 23:14:21 EST

I am fairly new to Snort, so feel free to abuse away ...

Anyway, when running snort offline on a tcpdump audit trail, is there a way to tell snort to "save state" (perhaps to a file) so that when I run Snort on two different files, it remembers what was in the first (for session reconstuction, fragmentation reassembly, etc) when I run the second through?

My problem is thus: I have a ton of nicely gzipped tcpdump audit logs that I periodically save off to DVD. I would like to run them through Snort with all of the signatures turned on to see if I can see anything that was missed by the live, tuned, production Snort. Sort of an in-house network forensics. I don't, however, want to have to ungzip them all, merge them together with something like mergecap, and then run the gigantic file through Snort, especially since the files span multiple DVDs. I also don't want to miss anything that might have occurred that spans multiple files.

Without a way for Snort to "save state" between files, I have come to two possibilites: a) replay all of the traffic on a private net using something like tcpreplay, or b) merge two files, run them through, and then merge the last file of the previos round and run it through marged with the next file, i.e. file1 and file2, then file2 and file3, then file3 and file4. The latter solution still has problems with breaks
(hopefully less) and has the added complexity of weeding out duplicate
alerts before they reach the database. I would rather not have to do the former, as management doesn't seem to like me replaying traffic onto company computers.

Is there an intelligent way to do this? I think that having Snort
(optionally) dump its current state and then be able to read it in and
start where it left off would be pretty cool, and solve my situation nicely.

Any help would be appreciated.

Thanks
-Mike

This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Mon Mar 31 14:48:01 2003

This message: [ Message body ]
Next message: Rob McMillen: "[Snort-users] snort_inline-1.9.1-2 release"
Previous message: Scheidell(at)secnap.com: "RE: [Snort-users] Snort 2.0 libnet config --cflags broken still?"
Next in thread: Chris Green: "Re: [Snort-users] "Saving State" in Snort"
Reply: Chris Green: "Re: [Snort-users] "Saving State" in Snort"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:11:55 EDT

Do you need help?