Snort mailing list archives
Re: Alerts and packet capture - MYSQL
From: Erek Adams <erek () snort org>
Date: Mon, 19 May 2003 19:21:13 -0400 (EDT)
On Mon, 19 May 2003, Snow Jacob C KPWA wrote:
I am using snort 2.0 to capture data based on a custom rule: alert tcp $HOME_NET any -> $EXTERNAL_NET :1024 (msg:"Syn Outbound";flags:S;tag:session,2,packets;) and logging this information to a MySQL database. I then want to look through this data to see if a synack is sent back (aka a complete handshake/connection). I am capturing additional packets as well. When I try and view the additional packets in snort I am only getting the packet that triggers the rule not the extra packets that were captured. Is there a way to view this information with acid or am I stuck doing it by hand.
Snort only logs the packts that match the rule. This rule will only flag outbound SYN's. It won't help with returning SYNACKs. You would need a second rule to look for SYNACK with a 'flags:SA'.
Also is there a way to right the rule such that it won't trigger if I don't get a synack back?
If I'm following this right, you want the above rule to alert if and only if there is an outbound SYN followed by a returning SYNACK from the destination IP of the SYN packet? If so, then no. That would be a job better handled by a preprocessor. Perhaps something similar to portscan(2)....
Does ACID already do this and I am missing something? A little advice from the snort guru's and everyone else would be nice :-).
ACID is simply a way to view data. It doesn't deal with rules, it simply pulls data from the DB and displays it via PHP. Hope that helps! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alerts and packet capture - MYSQL Snow Jacob C KPWA (May 19)
- Re: Alerts and packet capture - MYSQL Erek Adams (May 19)
- <Possible follow-ups>
- Alerts and packet capture - MYSQL Snow Jacob C KPWA (May 19)