Re: Need to log FULL packets

[Matt Kettler <mkettler () evi-inc com>]

True, tagging may be useful to grab all of the follow-on packets from the 
same host. Heck, if he can figure out that the unusual UDP packets are 
always coming from the same machine he could even use tcpdump (which is 
probably the better tool if your only interest is capturing all the traffic 
matching a very simple profile):

tcpdump -x -s 1500 host xx.xx.xx.xx proto udp

and if he can narrow it down to one port:
tcpdump -x -s 1500 host xx.xx.xx.xx proto udp port yy



Also, Junaidi  next time try to put your message text above the "Matt 
Kettler wrote:" bit or leave that line out entirely. This message it makes 
it look like you are quoting me talking about tagging, which you are not, 
my quote begins under that :)

At 06:04 AM 3/14/2002 +0800, Junaidi Bin Sapari wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thursday 14 March 2002 02:59, Matt Kettler wrote:
>
> Snort is able to do tagging. This is based on the rule which is triggered.
> Once a rule is triggered, all the traffic involving the source host is
> logged. Below is one of my example, so just apply the same for which
> particular rules you want.
> (from web-iis.rules)
> alert tcp $EXTERNAL_NET any -> $IIS_SERVERS 80 (msg:"WEB-IIS cmd.exe access";
> flags: A+; content:"cmd.exe"; nocase; classtype:web-application-attack;
> sid:1002; rev:2; tag: host, 300, packets, src;)


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users