Snort mailing list archives
custom snort rule for packet capture
From: Le CON <matty_condon () hotmail com>
Date: Fri, 11 Dec 2015 11:10:53 +1300
Hey guys., so what I want to do is have custom rules which both a) updates the normal way via unified2 which is then passed to a db via by2 && b) dump those packets. so basically if a known bad IP hits I want to know about it, and also get a full packet capture dump. BUT I dont want 3,000 alerts for the 3000 packets - I want 1 alert or 1 alert per 5 minutes letting me know that we got touched by badness and packets are being dumped. heres what I had - ruletype sensitive{type alertoutput unified2: filename snort.u2, limit 128, mpls_event_types, vlan_event_typesoutput log_tcpdump: sensitive.log} sensitive ip any any <> any any (content:”secret”; nocase; msg:”packet containing ‘secret’”; classtype:sensitive; sid:80000001; rev:001;)sensitive ip 192.168.1.5 any <> any any (msg:”bad IP detected, dumping packets....”; classtype:sensitive; sid:80000002; rev:001;) ..ok so the problem is, it worked, but it flooded my normal events with about 3000 alerts everytime this 192.168.1.5 IP connected, as I said I only want it to alert once every 5mins or so. I know I can do an in-rule threshold that limits alerts to once every 5 minutes by doing "threshold:type limit, count 1 , seconds 60;" but since the rule is tied also to tcpdump will that not cut the packet dump also?? anyone have any experience with this ?
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- custom snort rule for packet capture Le CON (Dec 10)