Snort mailing list archives
newbie ? about tcp packet collection for specific ip
From: Janet Norton <cjnorton () fmtc net>
Date: Mon, 03 May 2004 11:11:22 -0400
Before I spend too much time playing around with snort, I wonder if someone can confirm whether snort would meet my needs for a specific application. I need a non-interactive process which will monitor small network at company to intercept tcp traffic going to a printer. This process would run continuously, but once the tcp printer traffic is detected a different program would be initiated to process data. Currently I have been playing with a perl script which continously executes tethereal every 60 sec and I process log for data of interest. tethereal.exe -f "dst 149.59.152.28" -a duration:60 -w outfile I wondered if I could use snort and create a specific rule file for tcp traffic (maybe to include only tcp port 515 packets)? My expectation is the log file would only be created when tcp traffic to printer occurs, and the content of tcp stream is present in log. If I could start snort in daemon mode and have it constantly append to log, then I could have another program running which monitors log and when new data is present, processes the data. Please confirm is snort could work in this manner, and if so can you provide the correct syntax for snort and rule using detail I provided above. Any suggestions are appreciated. THANKS!
Current thread:
- newbie ? about tcp packet collection for specific ip Janet Norton (May 03)
- Re: newbie ? about tcp packet collection for specific ip sgt_b (May 03)
- <Possible follow-ups>
- newbie ? about tcp packet collection for specific ip Janet Norton (May 10)