Performing Forensics Using Snort

Table of contents:


You want to use the capabilities of Snort to perform forensics.


The most important step you can take when using Snort to perform forensics is to make sure you have at least one instance of Snort capturing full packets in binary mode. It's even a good idea to have a backup (or two) of this binary data. Once you have the data stored in binary mode, you can use a tool like Ethereal to read in the packet captures and save the data that you want to a new file. This may be the contents of an FTP session or the installation of a rootkit, or some other type of important data for analysis.

There are two other keywords that can be used within Snort rules to collect specific data:


Events that trigger rules with this keyword will be written to a separate file.


Events that trigger rules with this keyword will output all ASCII characters of a connectionfor example, an HTTP, FTP, or Telnet sessionto a human readable file.

It is best to have both the binary packet captures as well as the human readable ASCII files.


Forensics may be performed as part of a larger incident-handling process or part of your honeypot/honeynet analysis. If it is being performed as part of the incident-handling process, it is important to have a set of well-established processes and procedures. More details on incident handling and interacting with law enforcement can be found in the recipes "Snort and Investigations," "Snort as Legal Evidence in the U.S.," and "Snort as Legal Evidence in the U.K."

When dealing with system forensics, most of the time attacker tools and programs are deleted from the system. As long as the attack was remote, the network forensics logs will have a capture of the files being transferred to the target machine and any commands that were given over the network. Ethereal is a great tool to use to "follow TCP streams" to reconstruct network traffic. An important benefit of network forensics data is that it serves as a backup in a case when the investigation team is unable to recover any evidence from a target machine.

Finally, it is important to have solid organizational policies. You must have specific policies that allow you to capture and maintain forensics information as part of your job responsibilities. You need a policy that allows you to store and provide privacy information about your users to outside agencies. This is especially important when dealing with law enforcement.

See Also

Recipe 7.11

Recipe 7.12

Recipe 7.13

Orebaugh, Angela D. and Gilbert Ramirez. Ethereal Packet Sniffing. Rockland, MA: Syngress, 2004.

Snort and Investigations

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance


Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167 © 2008-2020.
If you may any questions please contact us: