Home » Information, Linux Distributions, OpenSourceSoftware, Security, Snort, Sourcefire » Packetcapture with Snort using the “tag” option
Mar
02

I did this several years ago, but when I switched to full packetcapture I did not have the need for catching pcap of traffic firing a rule.

You can do this with the tag option in Snort. If you want to know more, please read README.tag.

I will present you with a signature that will log the first 1000 bytes or 100 seconds (What ever comes first!) after the packet that triggered the event. Im looking for a SYN flag in a TCP session and I start my logging from there (0,packets means that there are no limits on amount of packets).

alert tcp 85.19.221.54 any <> $HOME_NET any (msg:”GL Log Packet Evil-IP 85.19.221.54 (gamelinux.org)”; flags:S; tag:session,1000,bytes,100,seconds,0,packets; classtype:trojan-activity; sid:201102011; rev:1;)

I use unified2 as output plugin for Snort (something that also Sourcefire 3D does IIRC), so I need to fetch the pcap from the unified log. Snort 2.9.0 and newer ships with a new tool that will help you here, u2boat. This will carve out the pcaps from the unified log:

# u2boat /var/log/snort/<unified.log.timestamp> /tmp/snort.pcap

From there, you can read the /tmp/snort.pcap with tcpdump or wireshark etc. or just fetch the evil-IP packets:

# tcpdump -r /tmp/snort.pcap -w /tmp/Evil-85.19.221.54-traffic.pcap 'host 85.19.221.54'

If you love it in console, you can read the pcap with tcpflow etc:

# tcpflow -c -r /tmp/Evil-85.19.221.54-traffic.pcap

I did could not seem to verify that the “0,packets” actually do work. I added the following line also to my snort.conf:

config_tagget_packet_limit: 0

But again, not sure if it works.

I wanted to do some more testing before releasing this blog, but it has been sitting around for a while, so If I play more with it and have something new, Ill post a new post :)

BTW, turning you Sourcefire 3D into a packetcapture device is easy :) adding the rule as above, you can just click the “Download Packet(s)” Button in the Event Information/Packet Information view :) Use such a rule with care though…

3 Responses to “Packetcapture with Snort using the “tag” option”

  1. Bartola
    June 3rd, 2011 at 02:41 | #1

    Nice blog.. Thanks!!!!

  2. disable
    April 23rd, 2012 at 17:30 | #2

    Thanks for the information. I combined this tag with a couple of other options and now hopefully can capture the payload of the encrypted pushdo trojan

  3. October 22nd, 2012 at 21:41 | #3

    Thanks for the info. The link to the README.tag seems to be broken tho. This isn’t the official one, but dd-wrt has a copy:
    http://svn.dd-wrt.com/browser/src/router/snort/doc/README.tag?rev=head

Add reply