Snort mailing list archives

Re: Catchall Rule

From: "Rodney Green" <rgreen () trayerproducts com>
Date: Thu, 6 Feb 2003 09:39:33 -0500

RE: [Snort-users] Catchall RuleJohn,

How do you get the data captured by those rules into the DB? I'd like
to play around with doing that.

Thanks,
Rod
  ----- Original Message ----- 
  From: John Cherbini 
  To: 'Snort User Groups' 
  Sent: Wednesday, February 05, 2003 11:28 PM
  Subject: RE: [Snort-users] Catchall Rule


  We wanted to have them all logged into a DB, and most importantly, parsed!  And we didn't feel like writing our own 
parser.

  I've got it figured out though......with these rules 

  ######CATCHALL RULES######## 
  alert tcp any any -> any any (msg: \"tcp traffic\";) 
  alert udp any any -> any any (msg: \"udp traffic\";) 
  alert icmp any any -> any any (msg: \"icmp traffic\";) 
  ############################ 

  John C. 

  > -----Original Message----- 
  > From: Jacob Redding [mailto:dextor () WiredGeek com] 
  > Sent: Wednesday, February 05, 2003 9:18 PM 
  > To: John Cherbini 
  > Cc: 'Snort User Groups' 
  > Subject: Re: [Snort-users] Catchall Rule 
  > 
  > 
  >   Why not just use tcpdump?? 
  > 
  > -Jacob 
  > 
  > On Wed, 5 Feb 2003, John Cherbini wrote: 
  > 
  > > Hello everyone... 
  > > 
  > > We're working on a project, where as a part of it, we would like to 
  > > use snort to add *every* packet it reads in a file to the DB. 
  > > 
  > > I've got the command line down, but I'd like to check on a 
  > rule that 
  > > will set *every* packet to generate a flag. 
  > > 
  > > After looking through this doc.. 
  > > 
  > > http://www.snort.org/docs/writing_rules/chap2.html 
  > > 
  > > I'm thinking something like this: 
  > > 
  > > Alert tcp any any -> any (content:"|45 00|"; msg: "Catchall Rule";) 
  > > Alert udp any any -> any (content:"|45 00|"; msg: "Catchall Rule";) 
  > > Alert icmp any any -> any (content:"|45 00|"; msg: "Catchall Rule";) 
  > > 
  > > My concern is the third "any"...not sure if that will work. 
  > > 
  > > Does anyone have any input on this? 
  > > 
  > > I'd appreciate any advice! 
  > > 
  > > Thanks! 
  > > 
  > > John Cherbini 
  > > 
  >

Current thread:

Catchall Rule John Cherbini (Feb 05)
- Re: Catchall Rule twig les (Feb 05)
  - Re: Catchall Rule Ashley Thomas (Feb 05)
- Re: Catchall Rule Jacob Redding (Feb 06)
- <Possible follow-ups>
- RE: Catchall Rule John Cherbini (Feb 05)
  - Re: Catchall Rule Rodney Green (Feb 06)
    - RE: Catchall Rule John Cherbini (Feb 06)
- RE: Catchall Rule John Cherbini (Feb 05)
- Re: Catchall rule njharris (Feb 05)
- RE: Catchall Rule Gary Hill (Feb 06)
  - RE: Catchall Rule Erek Adams (Feb 06)
    - RE: Catchall Rule John Cherbini (Feb 06)
    - Re: Catchall Rule Ashley Thomas (Feb 06)
    - Re: Catchall Rule Martin Roesch (Feb 10)
- RE: Catchall Rule Gonzalez, Albert (Feb 06)
- RE: Catchall Rule Gary Hill (Feb 06)

(Thread continues...)