Snort mailing list archives
Re: Need to log FULL packets
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 13 Mar 2002 18:27:38 -0500
True, tagging may be useful to grab all of the follow-on packets from the same host. Heck, if he can figure out that the unusual UDP packets are always coming from the same machine he could even use tcpdump (which is probably the better tool if your only interest is capturing all the traffic matching a very simple profile):
tcpdump -x -s 1500 host xx.xx.xx.xx proto udp and if he can narrow it down to one port: tcpdump -x -s 1500 host xx.xx.xx.xx proto udp port yyAlso, Junaidi next time try to put your message text above the "Matt Kettler wrote:" bit or leave that line out entirely. This message it makes it look like you are quoting me talking about tagging, which you are not, my quote begins under that :)
At 06:04 AM 3/14/2002 +0800, Junaidi Bin Sapari wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 14 March 2002 02:59, Matt Kettler wrote: Snort is able to do tagging. This is based on the rule which is triggered. Once a rule is triggered, all the traffic involving the source host is logged. Below is one of my example, so just apply the same for which particular rules you want. (from web-iis.rules) alert tcp $EXTERNAL_NET any -> $IIS_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:2; tag: host, 300, packets, src;)
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Need to log FULL packets Sheahan, Paul (PCLN-NW) (Mar 13)
- <Possible follow-ups>
- Re: Need to log FULL packets Matt Kettler (Mar 13)
- Re: Need to log FULL packets Junaidi Bin Sapari (Mar 13)
- Message not available
- Re: Need to log FULL packets Matt Kettler (Mar 13)
- Re: Need to log FULL packets Brian (Mar 19)