Snort mailing list archives
Re: Fw: Snort Malicious Traffic Redirection to other IP
From: mehrdad hajizadeh <mehrdad_richman () yahoo com>
Date: Thu, 2 Apr 2015 12:19:04 +0000 (UTC)
Actually, Im working on this solution whenever alert triggered snort should log malicious in pcap format and save it in destination machine (or a software try to make socket and send). But the problem is that in the destination we would need to read this pcap data in offline mode.(I think it may not optimum solution) Is there any possibility in snort that whenever alert triggered uses firewall capability in order to forward traffic flow to the new destination in real time mode ? (or even is it possible to execute a script as an action in snort after trigger) Any other idea?suggestion? Tnx On Wednesday, April 1, 2015 12:28 PM, Al Lewis (allewi) <allewi () cisco com> wrote: #yiv8258398872 #yiv8258398872 -- _filtered #yiv8258398872 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv8258398872 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv8258398872 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv8258398872 {font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4 2 4;} _filtered #yiv8258398872 {font-family:Candara;panose-1:2 14 5 2 3 3 3 2 2 4;} _filtered #yiv8258398872 {font-family:Georgia;panose-1:2 4 5 2 5 4 5 2 3 3;} _filtered #yiv8258398872 {panose-1:0 0 0 0 0 0 0 0 0 0;}#yiv8258398872 #yiv8258398872 p.yiv8258398872MsoNormal, #yiv8258398872 li.yiv8258398872MsoNormal, #yiv8258398872 div.yiv8258398872MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:12.0pt;}#yiv8258398872 a:link, #yiv8258398872 span.yiv8258398872MsoHyperlink {color:blue;text-decoration:underline;}#yiv8258398872 a:visited, #yiv8258398872 span.yiv8258398872MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv8258398872 span {}#yiv8258398872 span.yiv8258398872EmailStyle18 {color:#1F497D;}#yiv8258398872 .yiv8258398872MsoChpDefault {font-size:10.0pt;} _filtered #yiv8258398872 {margin:1.0in 1.0in 1.0in 1.0in;}#yiv8258398872 div.yiv8258398872WordSection1 {}#yiv8258398872 Have you tried capturing the traffic (in pcap format) and then using that (replaying it) for analysis on another machine? Albert Lewis QA Software Engineer SOURCEfire, Inc.now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email:allewi () cisco com From: mehrdad hajizadeh [mailto:mehrdad_richman () yahoo com] Sent: Wednesday, April 01, 2015 1:53 AM To: Snort-users () lists sourceforge net Subject: [Snort-users] Fw: Snort Malicious Traffic Redirection to other IP Actually, in this special case I wanna separate and send malicious traffic for further analysis in other machine (honeypot machine or get DPI service from central DPI machine). On Tuesday, March 31, 2015 4:47 PM, Joel Esler (jesler) <jesler () cisco com> wrote: Why not put Snort inline and drop the malicious traffic totally? -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos Group On Mar 31, 2015, at 1:17 AM, mehrdad hajizadeh <mehrdad_richman () yahoo com> wrote: Hello All, I was wondering if somebody help me , how I can redirect malicious traffic to the other IP or host with Snort. Is it possible in snort to redirect specific traffic (the traffic which is matched with snort attack signature ) to the one specific computer? I just wanna to separate malicious traffic with normal traffic by snort.. Tnx in advance ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Fw: Snort Malicious Traffic Redirection to other IP mehrdad hajizadeh (Mar 31)
- Re: Fw: Snort Malicious Traffic Redirection to other IP Al Lewis (allewi) (Apr 01)
- Re: Fw: Snort Malicious Traffic Redirection to other IP mehrdad hajizadeh (Apr 02)
- Re: Fw: Snort Malicious Traffic Redirection to other IP Al Lewis (allewi) (Apr 01)