I did this several years ago, but when I switched to full packetcapture I did not have the need for catching pcap of traffic firing a rule.
You can do this with the tag option in Snort. If you want to know more, please read README.tag.
I will present you with a signature that will log the first 1000 bytes or 100 seconds (What ever comes first!) after the packet that triggered the event. Im looking for a SYN flag in a TCP session and I start my logging from there (0,packets means that there are no limits on amount of packets).
alert tcp 85.19.221.54 any <> $HOME_NET any (msg:”GL Log Packet Evil-IP 85.19.221.54 (gamelinux.org)”; flags:S; tag:session,1000,bytes,100,seconds,0,packets; classtype:trojan-activity; sid:201102011; rev:1;)
I use unified2 as output plugin for Snort (something that also Sourcefire 3D does IIRC), so I need to fetch the pcap from the unified log. Snort 2.9.0 and newer ships with a new tool that will help you here, u2boat. This will carve out the pcaps from the unified log:
# u2boat /var/log/snort/<unified.log.timestamp> /tmp/snort.pcap
From there, you can read the /tmp/snort.pcap with tcpdump or wireshark etc. or just fetch the evil-IP packets:
# tcpdump -r /tmp/snort.pcap -w /tmp/Evil-85.19.221.54-traffic.pcap 'host 85.19.221.54'
If you love it in console, you can read the pcap with tcpflow etc:
# tcpflow -c -r /tmp/Evil-85.19.221.54-traffic.pcap
I did could not seem to verify that the “0,packets” actually do work. I added the following line also to my snort.conf:
config_tagget_packet_limit: 0
But again, not sure if it works.
I wanted to do some more testing before releasing this blog, but it has been sitting around for a while, so If I play more with it and have something new, Ill post a new post π
BTW, turning you Sourcefire 3D into a packetcapture device is easy π adding the rule as above, you can just click the “Download Packet(s)” Button in the Event Information/Packet Information view π Use such a rule with care though…
Nice blog.. Thanks!!!!
LikeLike
Thanks for the information. I combined this tag with a couple of other options and now hopefully can capture the payload of the encrypted pushdo trojan
LikeLike
Thanks for the info. The link to the README.tag seems to be broken tho. This isn’t the official one, but dd-wrt has a copy:
http://svn.dd-wrt.com/browser/src/router/snort/doc/README.tag?rev=head
LikeLike