Tagging flows with snort alert information for PCAP retrieval
There was a question on the snort mailing list recently looking for ways to retrieve pcaps of flows that generate alerts.
- Retrieve a PCAP containing all the packets that caused an alert
- The PCAP must contain whole flows , not just the packet with the alert
This is a quick post to show you how you can do it in Trisul. I am not aware of any tool, free or commercial that offers a comparable feature.
Flow taggers
You must configure Flow Taggers to mark flows with alert information. For instructions see Flow Tagging By default, Trisul makes all flows that generate an alert with the tag IDS
. You can create additional taggers, for example to mark flows with alert priorities or sigids.
Pulling up flows then packets
First retrieve all flows that generated an alert. Say with Signature ID sid-1000000122
.
Go to Tools > Explore Flows then search by typing tag=sid-1000000122
you will get a list of flows.
Simply click Download PCAP to get all the packets in a single PCAP correctly merged by timestamp.
More links
For information on how you can connect Snort to Trisul check out our step by step guide How to send IDS alerts to Trisul
You can run Trisul with this feature completely free if you only want to monitor the most recent 3 days.
Free Download Trisul 4.0 !