The trigger_worm trigger is used to capture packets when the supplied threshold of scanning IP hosts is exceeded. Triggers of interest for anomaly detection include the trigger_worm trigger, the UDP work weight trigger, and the drops trigger. Trigger-on and -off events are logged in the ourmon event file, which you can find from the main Web page (both at top and bottom). In general, you must create a dump directory and specify a threshold number and packet count for each trigger you use. Ourmon has an automated packet-capture feature that allows packet capture during certain types of anomalous events.Īutomated packet capture is turned on in the probe config file. Since Snort is capable of generating PCAP logs, it is possible to make use of the many available PCAP‐compatible packet sniffers and analyzers, such as the ever popular Ethereal and Iris … and to be completely honest, just about every other network traffic analyzer out there. Because of this and the Win32 ports of PCAP, WinPCAP, Snort has proved quite portable across numerous platforms to include Solaris, Linux, multiple flavors of BSD, and numerous versions of Microsoft's Windows. Snort's network monitoring architecture is based on the PCAP library. The libpcap interface within Snort supports a filtering mechanism called BPF (described in detail in Chapter 5). There are multiple applications within the PCAP library, including network statistics collection, security monitoring, and network debugging. The Packet Capture Library (PCAP) is defined as a portable framework for low‐level network monitoring that uses the standard PCAP format.
Brian Caswell, in Snort Intrusion Detection 2.0, 2003 PCAP Logging
0 kommentar(er)
