Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort export pcap

    IDS/IPS
    snort ids pcap
    2
    2
    96
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      GuiguMZ last edited by

      Hi team!

      I am setting up Snort as IDS to monitor the internal network via LAN. I have read that Barnyard is not available in the Snort package as it is obsolete.

      Is there a way to be able to export the packages in pcap or another format to know that it has detected the signature in the alerts?

      On the other hand, is there a way that, in the alerts section, only the alerts that are not on the suppression list are shown? Much noise would be removed

      Greetings and thanks to the team!

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by bmeeks

        At the moment there is no easily installable package for exporting the pcap files. Some users have installed the filebeat package manually. There are several links to be found on Google about doing this.

        Of course you could always write your own shell script to copy the files off to another system and use cron to execute it periodically. There is a cron package you can install on pfSense to enable easy management of scheduled tasks within the GUI.

        As for filtering the ALERTS tab, I assume you mean that the alert entries prior to them being suppressed are still visible. Adding a filter for that is probably a good idea, so I will put that on my TODO list for a future upgrade of the package. The alert entries will eventually "roll off" once the alert log is rotated. I assume you have enabled automatic log file management on the LOGS MGMT tab. That feature is off by default, but when enabled it will auto-rotate logs and other files like pcaps when they reach a certain size. It will also prune files from disk based on a retention policy you can configure there. So when log management is enabled, those old suppressed alerts will disappear from the ALERTS tab view when the current alert log file is rotated and a new empty file created in its place.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post

        Products

        • Platform Overview
        • TNSR
        • pfSense
        • Appliances

        Services

        • Training
        • Professional Services

        Support

        • Subscription Plans
        • Contact Support
        • Product Lifecycle
        • Documentation

        News

        • Media Coverage
        • Press
        • Events

        Resources

        • Blog
        • FAQ
        • Find a Partner
        • Resource Library
        • Security Information

        Company

        • About Us
        • Careers
        • Partners
        • Contact Us
        • Legal
        Our Mission

        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

        Subscribe to our Newsletter

        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

        © 2021 Rubicon Communications, LLC | Privacy Policy