Snort mailing list archives

Re: Monitor traffic from a specific domain?

From: Robert van der Meulen <rvdm () cistron nl>
Date: Wed, 25 Jul 2001 02:33:40 +0200

Hi,

Quoting Sheahan, Paul (PCLN-NW) (Paul.Sheahan () priceline com):

We suspect some hacker is trying to hack some of our servers and expect that
he will return soon. I would like to be able to setup snort to log/dump
everything from this hackers domain once he returns. Does anyone know how I
can do this? For example, I know this hacker is from, let's say,
"somemachine.domain.com". I'm not sure if he has a static IP or not so I'd
just like to log anything from "domain.com".

I really like snort, but isn't it easier to make packet traces/dumps using
tcpdump or (t)ethereal for this, maybe running them trough snort later ?
This will allow you to do much finer-grained analysis on the
wannabe-intruder's traffic, as snort will only keep things it alerts on.

Greets,
        Robert
-- 
                              Linux Generation
   encrypted mail preferred. finger rvdm () debian org for my GnuPG/PGP key.
                  Save the whales.  Collect the whole set.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Monitor traffic from a specific domain? Sheahan, Paul (PCLN-NW) (Jul 24)
- Re: Monitor traffic from a specific domain? Larry E. Smith Jr. (Jul 24)
- Re: Monitor traffic from a specific domain? Robert van der Meulen (Jul 24)
- Re: Monitor traffic from a specific domain? Jim Starke (Jul 24)