All Packets with a session
Brought to you by:
secureideas,
sinukas
If you've got a wishlist somewhere, I've got another
item. :) With the
stream code in snort these days there may be more than
one recorded
packet for a signature, and the packet with the
signature id associated
might not be the one that triggered the alert. It would
be cool if there
were a button on the packet inspection page called
"show me all packets
associated with this session" or somesuch, which would
pull up the tag
packets that have the same ip's & ports as the original
packet.
Mike Stone
Logged In: YES
user_id=853584
We can build that into present functionality I think. I
don't know if we have to wait until 2.0 to build that.
Logged In: NO
We did have a workaround for this when we used snort's xml
output. We fed that into a perl script that reassembled the
payload by appending tagged packet payload onto the payload
of the firing event. But, we switched to barnyard and it's
acid db output plugin that goes direct to the db and hosed
the whole deal. We are looking for a solution to return
this capability. One other thing that we had was, we added
a resonse payload field and as the tagged packets were
processed, checked for direction and added the payload in
the right place/field. Then, we modified acid_query_alert
to show response right under payload. It helped immensly
with false positive verification.
Logged In: YES
user_id=853584
and then print it out into one plain text display, so it
looks like Ethereal's "Follow TCP stream"
Logged In: YES
user_id=836228
Part of the TODO for 2.x