How to manage events that include packet captures?

Hello,

I’m quite new to logging systems, so probably this question is just that I am not understanding the context properly.

I am setting up a lab environment that has a snort sensor and I am trying to understand how to correctly log its data. I understand there are lots of tools (e.g. Sguil and its dependants) that provide a comprehensive solution, however they are starting to become a bit aged. Moreover, I have used Graylog for syslog/netflow capture before and quite like it so I was wondering how much of the same functionality would also be possible using Graylog. One function they provide is a mapping of an event back to the packet that caused the intrusion detection event (and a UI to view the packet).

So, what I dont understand with Graylog is if I get an event (e.g. syslog message from an IDS alerting that an intrusion attempt was detected) which also has a packet capture associated (e.g. stored as a flat file on the IDS) how can this information be managed with Graylog?

For example, it raises these queries:

  • Is it feasible to submit a pcap file (or a binary string) to be associated with log item?
  • Should the event be tagged with a filename/URI of the capture, then the viewer can manually download the packet capture on demand?
  • Only use timestamp of event and the user has to manually search for pcap on IDS?

I’ve looked at How to send Snort IDS alert logs into Graylog, but it only deals with events and not the associated packet captures.

Many thanks,
Karim

An update. I have tried out using the barnyard2 log processor for snort and configuring it to send the associated packet captures as hex dumps in the syslog messages. This setup appears to work in a lab environment as it allows for tractability (between IDS event and packet that caused event). However, I’m not sure this is an ideal solution. That is,

  • I have not seen any special support for binary/hex data. They are only treated as strings. Ideally it would be possible to download the data as a pcap file and open on local machine, or even present the binary data in a standard hexdump/xdd format.
  • Maybe there are efficiency issues with storing data like this?

If anyone has any experience, I’d like to hear it.

Thanks,
Karim

He @kazkansouh

I can’t solve your issue right away, but upcoming versions should give you the ability to link to 3rd party tools. Like a ticketsystem or IDS - so you just need the ability to create a link out of known facts or similar.

How that will look is not yet decided, only that we will have this abilitys in Graylog mid-term.

Hello Jan,

Thanks for the information. That sounds like it would be quite a useful feature.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.