Logging Snort PCAP’s by Event SID’s

If you’re reading this, I’m willing to wager you’ve been digging through Snort alerts and spent hours upon hours digging through captured pcap files. There is nothing wrong with reading streams and investigating files, however, there is often a reasonable expectation that you have the data that you need when you need it.

Implementation

To improve our security teams effectiveness leveraging our incident response automation pipeline, I modified the Snort source to add the alert SID to the filename (tested on 2.9.7.6).# file: src/output-plugins/spo_log_tcpdump.cstatic void LogTcpdumpStream(Packet *p, const char *msg, void *arg, Event *event)
{
   LogTcpdumpData *data = (LogTcpdumpData *)arg;
   size_t dumpSize = 0;if ( !data )
   {
       FatalError("log_tcpdump: unable to allocate memory!\n");
   }data->limit = DEFAULT_LIMIT;char buf[256];
   snprintf(buf, sizeof buf, "%d-%s", event->sig_id, DEFAULT_FILE);
   data->filename = buf;TcpdumpInitLogFile(data, ScNoOutputTimestamp());if (stream_api)
       stream_api->traverse_reassembled(p, SizeOfCallback, &dumpSize);if ( data->size + dumpSize > data->limit )
       TcpdumpRollLogFile(data);if (stream_api)
       stream_api->traverse_reassembled(p, LogTcpdumpStreamCallback, data);data->size += dumpSize;if (!ScLineBufferedLogging())
   {
#ifdef WIN32
       fflush( NULL );  /* flush all open output streams */
#else
       /* we happen to know that pcap_dumper_t* is really just a FILE* */
       fflush( (FILE*) data->dumpd );
#endif
   }
}

What this change does is add the event’s SID to the prefix of the config value for your output log_tcpdump configuration option. Every time any alert is seen, the file will be written to disk.

Taking This Further

This approach has since grown and transmogrified into a beautiful unicorn of a function for network security. We are able to not only add the alert SID to the filename, but IP address (src and dest) as well as protocols and essentially name the file in a way which when they are uploaded to our investigations artifact repository, they are automatically associated with our incident. This means that by the time our security analyst reviews the ticket, they have the information and tcp streams local and available without needing to waste precious time collecting this data.

Share this post