Re: How to know what is "any" ip address???

[waldo kitty <wkitty42 () windstream net>]

On 2/2/2015 8:11 AM, zT wrote:
> hello all i use
> alert tcp any any -> any any (msg:"network found in packet content!!!";
> content:"network"; sid:10000; )
> when snort find a packet with FB content i want to which ip address this packet
> is comes from (ip header of packet) and store this packet( it content and
> headers) in a file.
> how can do this ?

by default, if you haven't changed the output stuff, snort puts this information 
in the captured pcap file named snort.log.xxxxxxxxxx that is active at the time 
the alert was fired... there's one snort.log.xxxxxxxxxx pcap file active for 
each execution of snort...

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!