Snort mailing list archives
RE: Snort-users digest, Vol 1 #2589 - 3 msgs
From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Mon, 16 Dec 2002 15:32:37 -0500
In answer to your question: 1) Presuming that AIM only uses TCP port 5190 and is not proxied, then yes, the rule you note below will generate a Snort alert for all AIM packets it captures. 2) As I just noted above, Snort will generate an alert, and depending on logging facility you use, Snort will either log the entire contents of the *packet* or just some high-level information. You may want to consider making the AIM rule only a logging rule (i.e., "log tcp any any -> any 5190") to avoid getting overrun my alerts generated by AIM traffic. Unless of course, you actually want those alerts ;) 3) And no, the rule will not capture the whole AIM conversation. Though I imaging that is would be possible to use binary logging or the unified log facility and some sort of post processor to piece together all of AIM packets captured and reconstruct the AIM conversation. 4) Yes, create a .rules file (or use the local.rules) and make reference to it in the snort.conf file. - Christopher -----Original Message----- From: "Shafer, Troy" <tshafer () laurel k12 ky us> To: "'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net> Date: Mon, 16 Dec 2002 14:57:42 -0500 Subject: [Snort-users] another question I found this code on the net for logging aim traffic... alert tcp any any -> any 5190 (msg:"AIM Message"; content:"HTML";) my first question, does this actually log the content of the messages and two how would I implement this with snort... write a .rules file... then put and include in the the snort.conf? Still trying to figure this snort thing out... Troy Shafer Network Engineer Laurel County Schools 606-862-4616 tshafer () laurel k12 ky us
Current thread:
- RE: Snort-users digest, Vol 1 #2589 - 3 msgs L. Christopher Luther (Dec 16)