Snort export pcap
-
Hi team!
I am setting up Snort as IDS to monitor the internal network via LAN. I have read that Barnyard is not available in the Snort package as it is obsolete.
Is there a way to be able to export the packages in pcap or another format to know that it has detected the signature in the alerts?
On the other hand, is there a way that, in the alerts section, only the alerts that are not on the suppression list are shown? Much noise would be removed
Greetings and thanks to the team!
-
At the moment there is no easily installable package for exporting the pcap files. Some users have installed the
filebeat
package manually. There are several links to be found on Google about doing this.Of course you could always write your own shell script to copy the files off to another system and use
cron
to execute it periodically. There is acron
package you can install on pfSense to enable easy management of scheduled tasks within the GUI.As for filtering the ALERTS tab, I assume you mean that the alert entries prior to them being suppressed are still visible. Adding a filter for that is probably a good idea, so I will put that on my TODO list for a future upgrade of the package. The alert entries will eventually "roll off" once the alert log is rotated. I assume you have enabled automatic log file management on the LOGS MGMT tab. That feature is off by default, but when enabled it will auto-rotate logs and other files like pcaps when they reach a certain size. It will also prune files from disk based on a retention policy you can configure there. So when log management is enabled, those old suppressed alerts will disappear from the ALERTS tab view when the current
alert
log file is rotated and a new empty file created in its place.