Tagging flows with snort alert information for PCAP retrieval

There was a question on the snort mailing list recently looking for ways to retrieve pcaps of flows that generate alerts.

  1. Retrieve a PCAP containing all the packets that caused an alert
  2. The PCAP must contain whole flows , not just the packet with the alert

This is a quick post to show you how you can do it in Trisul. I am not aware of any tool, free or commercial that offers a comparable feature.

Flow taggers

You must configure Flow Taggers to mark flows with alert information. For instructions see Flow Tagging By default, Trisul makes all flows that generate an alert with the tag IDS. You can create additional taggers, for example to mark flows with alert priorities or sigids.

Pulling up flows then packets

First retrieve all flows that generated an alert. Say with Signature ID sid-1000000122 .
Go to Tools > Explore Flows then search by typing tag=sid-1000000122 you will get a list of flows.

Fig: Searching by flow tag IDS, gives you all flows generating an alert
Fig: Get a PCAP for all result flows in bulk or one flow at a time

Simply click Download PCAP to get all the packets in a single PCAP correctly merged by timestamp.

More links

For information on how you can connect Snort to Trisul check out our step by step guide How to send IDS alerts to Trisul

You can run Trisul with this feature completely free if you only want to monitor the most recent 3 days.

Free Download Trisul 4.0 !

Leave a Reply

Your email address will not be published. Required fields are marked *