Snort mailing list archives
Using snort with paper while alerting
From: honeybadger () q com
Date: Tue, 04 Dec 2012 10:31:03 -0700
Hey all, I am trying to get my head how to script this. I want a packet capture when SNORT alerts that a server is getting a UDP packet. I know the rule is alert UDP any any - > serverip any. PCAP does not seem able to do this, is there a way to script this in a local rule? Snort Releases <snortreleases () snort org> wrote:
Snort 2.9.4 is now available on snort.org, at http://www.snort.org/snort-downloads/ in the Latest Release section. ************ Please note: 2.9.3.1 & later packages are signed with a new PGP key (that key is signed with the previous key). ************ Snort 2.9.4 includes changes for the following: [*] New additions * Consolidation of IPv6 -- now only a single build supports both IPv4 & IPv6, and removal of the IPv4 "only" code paths. * File API and improvements to file processing for HTTP downloads and email attachments via SMTP, POP, and IMAP to facilitate broader file support * Use of address space ID for tracking Frag & Stream connections when it is available with the DAQ * Logging of packet data that triggers PPM for post-analysis via Snort event * Decoding of IPv6 with PPPoE * Added an API call to add a service to a host in the attribute table. Remove the unused live attribute update code. [*] Improvements * Update to Stream5 PAF for handling gaps in the sequence numbers of packets being reassembled. * Selection of the Stream TCP policy based on the server rather than the destination of first packet seen by Snort * Allow disabling of global thresholds via a count of -1 * Prevent blocking duplicate SYNs when using inline normalization * Add SSLv3 backwards compatibility support for SSLv2 ClientHello messages * Allow active responses to packets without data (eg, a TCP SYN) * Changed logic of option evaluations for shared library rules that use a custom evaluation function to match that of the builtin logic when the NOT_FLAG is used. The 'NOT' matching now happens within each of the individual rule option evaluation functions. * Updated SMTP preprocessor to better handle commands that have corresponding data on a subsequent line to reduce false positives. 3 commands fall into this category - X-EXPS, XEXCH50, and BDAT. * Improve support for encapsulated & tunneling protocols to block or fastpath a connection within the tunnel rather applying that to the whole tunnel. Please see the Release Notes and ChangeLog for more details. Please submit bugs, questions, and feedback to bugs () snort org. Happy Snorting! The Snort Release Team ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: BUILD Helping you discover the best ways to construct your parallel projects. http://goparallel.sourceforge.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort 2.9.4 Now Available Snort Releases (Dec 03)
- Re: Snort 2.9.4 Now Available Amm Snort (Dec 03)
- Re: Snort 2.9.4 Now Available Joel Esler (Dec 04)
- Re: Snort 2.9.4 Now Available Amm Snort (Dec 04)
- Re: Snort 2.9.4 Now Available Joel Esler (Dec 04)
- Re: Snort 2.9.4 Now Available Joel Esler (Dec 04)
- Re: Snort 2.9.4 Now Available Amm Snort (Dec 03)
- <Possible follow-ups>
- Snort 2.9.4 Now Available Snort Releases (Dec 03)
- Using snort with paper while alerting honeybadger (Dec 04)
- Re: Using snort with paper while alerting beenph (Dec 04)
- Re: Using snort with pcap while alerting honeybadger (Dec 04)
- Re: Snort 2.9.4 Now Available Weir, Jason (Dec 04)
- Re: Snort 2.9.4 Now Available Joel Esler (Dec 04)
- Re: Snort 2.9.4 Now Available Weir, Jason (Dec 04)
- Re: Snort 2.9.4 Now Available Joel Esler (Dec 04)
- Re: Snort 2.9.4 Now Available Weir, Jason (Dec 04)
- Using snort with paper while alerting honeybadger (Dec 04)