Snort mailing list archives
Re: Fw: Snort Malicious Traffic Redirection to other IP
From: mehrdad hajizadeh <mehrdad_richman () yahoo com>
Date: Thu, 2 Apr 2015 12:19:04 +0000 (UTC)
Actually, Im working on this solution whenever alert triggered snort should log malicious in pcap format and save it
in destination machine (or a software try to make socket and send).
But the problem is that in the destination we would need to read this pcap data in offline mode.(I think it may not
optimum solution)
Is there any possibility in snort that whenever alert triggered uses firewall capability in order to forward traffic
flow to the new destination in real time mode ? (or even is it possible to execute a script as an action in snort
after trigger)
Any other idea?suggestion?
Tnx
On Wednesday, April 1, 2015 12:28 PM, Al Lewis (allewi) <allewi () cisco com> wrote:
#yiv8258398872 #yiv8258398872 -- _filtered #yiv8258398872 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;}
_filtered #yiv8258398872 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv8258398872
{font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv8258398872 {font-family:Tahoma;panose-1:2 11 6 4 3 5
4 4 2 4;} _filtered #yiv8258398872 {font-family:Candara;panose-1:2 14 5 2 3 3 3 2 2 4;} _filtered #yiv8258398872
{font-family:Georgia;panose-1:2 4 5 2 5 4 5 2 3 3;} _filtered #yiv8258398872 {panose-1:0 0 0 0 0 0 0 0 0
0;}#yiv8258398872 #yiv8258398872 p.yiv8258398872MsoNormal, #yiv8258398872 li.yiv8258398872MsoNormal, #yiv8258398872
div.yiv8258398872MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:12.0pt;}#yiv8258398872 a:link, #yiv8258398872
span.yiv8258398872MsoHyperlink {color:blue;text-decoration:underline;}#yiv8258398872 a:visited, #yiv8258398872
span.yiv8258398872MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv8258398872 span {}#yiv8258398872
span.yiv8258398872EmailStyle18 {color:#1F497D;}#yiv8258398872 .yiv8258398872MsoChpDefault {font-size:10.0pt;} _filtered
#yiv8258398872 {margin:1.0in 1.0in 1.0in 1.0in;}#yiv8258398872 div.yiv8258398872WordSection1 {}#yiv8258398872 Have you
tried capturing the traffic (in pcap format) and then using that (replaying it) for analysis on another machine?
Albert Lewis QA Software Engineer SOURCEfire, Inc.now part of Cisco 9780 Patuxent Woods Drive
Columbia, MD 21046 Phone: (office) 443.430.7112 Email:allewi () cisco com From: mehrdad hajizadeh
[mailto:mehrdad_richman () yahoo com]
Sent: Wednesday, April 01, 2015 1:53 AM
To: Snort-users () lists sourceforge net
Subject: [Snort-users] Fw: Snort Malicious Traffic Redirection to other IP Actually, in this special case I wanna
separate and send malicious traffic for further analysis in other machine (honeypot machine or get DPI service from
central DPI machine). On Tuesday, March 31, 2015 4:47 PM, Joel Esler (jesler) <jesler () cisco com> wrote:
Why not put Snort inline and drop the malicious traffic totally? --
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos Group
On Mar 31, 2015, at 1:17 AM, mehrdad hajizadeh <mehrdad_richman () yahoo com> wrote: Hello All, I was
wondering if somebody help me , how I can redirect malicious traffic to the other IP or host with Snort. Is it possible
in snort to redirect specific traffic (the traffic which is matched with snort attack signature ) to the one specific
computer? I just wanna to separate malicious traffic with normal traffic by snort.. Tnx in advance
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Fw: Snort Malicious Traffic Redirection to other IP mehrdad hajizadeh (Mar 31)
- Re: Fw: Snort Malicious Traffic Redirection to other IP Al Lewis (allewi) (Apr 01)
- Re: Fw: Snort Malicious Traffic Redirection to other IP mehrdad hajizadeh (Apr 02)
- Re: Fw: Snort Malicious Traffic Redirection to other IP Al Lewis (allewi) (Apr 01)