Snort mailing list archives
RE: Catchall Rule
From: "Gonzalez, Albert" <albert.gonzalez () eds com>
Date: Thu, 6 Feb 2003 10:54:19 -0500
Hey sexy! How are you this morning? I haven't forgotten about you with the whole job thing, i just have to get in contact with someone in our New York Office, and see what they do, dunno if they are sales or consultants.. we shall see.. sorry it is taking so long n stuff.. Cheers! Alberto Gonzalez Alberto Gonzalez EDS - Global Security Operations Center Security and Privacy Professional Services -----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Thursday, February 06, 2003 10:32 AM To: Gary Hill Cc: Rodney Green; John Cherbini; Snort User Groups Subject: RE: [Snort-users] Catchall Rule On Thu, 6 Feb 2003, Gary Hill wrote:
I take it this rule wont capture non-tcp/udp/icmp traffic such as IPSEC!
Can you create a rule that looks at all IP traffic, rather then each protocol on the top of it
Sure. log ip any any -> $HOME_NET any; But traffic isn't always ip traffic.... log icmp any any -> $HOME_NET any; log arp any any -> $HOME_NET any; (Ok, the last one is silly, but he said "all traffic". :)
From what I'm getting, you want to snarf all the frames on the wire, then
shove that into a DB. If you do, be _sure_ to have acres of disk, and one helluva machine for the DB. You might get better performance using Barnyard to spool the files. If realtime isn't an issue, you might be better off with tcpdump and then using Snort to post process. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Catchall Rule, (continued)
- RE: Catchall Rule John Cherbini (Feb 05)
- Re: Catchall Rule Rodney Green (Feb 06)
- RE: Catchall Rule John Cherbini (Feb 06)
- Re: Catchall Rule Rodney Green (Feb 06)
- RE: Catchall Rule John Cherbini (Feb 05)
- Re: Catchall rule njharris (Feb 05)
- RE: Catchall Rule Gary Hill (Feb 06)
- RE: Catchall Rule Erek Adams (Feb 06)
- RE: Catchall Rule John Cherbini (Feb 06)
- Re: Catchall Rule Ashley Thomas (Feb 06)
- Re: Catchall Rule Martin Roesch (Feb 10)
- RE: Catchall Rule Erek Adams (Feb 06)
- RE: Catchall Rule Gonzalez, Albert (Feb 06)
- RE: Catchall Rule Gary Hill (Feb 06)
- RE: Catchall Rule John Cherbini (Feb 06)
- Re: Catchall Rule Kenton Smith (Feb 06)
- RE: Catchall Rule John Cherbini (Feb 05)