There was a question on the snort mailing list recently looking for ways to retrieve pcaps of flows that generate alerts.
- Retrieve a PCAP containing all the packets that caused an alert
- The PCAP must contain whole flows , not just the packet with the alert
This is a quick post to show you how you can do it in Trisul. I am not aware of any tool, free or commercial that offers a comparable feature.
You must configure Flow Taggers to mark flows with alert information. For instructions see Flow Tagging By default, Trisul makes all flows that generate an alert with the tag
IDS. You can create additional taggers, for example to mark flows with alert priorities or sigids.
Pulling up flows then packets
First retrieve all flows that generated an alert. Say with Signature ID
Go to Tools > Explore Flows then search by typing
tag=sid-1000000122 you will get a list of flows.
Fig: Searching by flow tag IDS, gives you all flows generating an alert
Fig: Get a PCAP for all result flows in bulk or one flow at a time
Simply click Download PCAP to get all the packets in a single PCAP correctly merged by timestamp.
For information on how you can connect Snort to Trisul check out our step by step guide How to send IDS alerts to Trisul
You can run Trisul with this feature completely free if you only want to monitor the most recent 3 days.