Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Catchall Rule

From: "Gary Hill" <ghill () domicilium com>
Date: Thu, 6 Feb 2003 15:53:37 -0000
thats nice ..... ;-)

        -----Original Message----- 
        From: Gonzalez, Albert [mailto:albert.gonzalez () eds com] 
        Sent: Thu 06/02/2003 15:54 
        To: 'Erek Adams'; Gary Hill 
        Cc: Rodney Green; John Cherbini; Snort User Groups 
        Subject: RE: [Snort-users] Catchall Rule
        
        

        Hey sexy! How are you this morning? I haven't forgotten about you with the
        whole job thing,
        
        i just have to get in contact with someone in our New York Office, and see
        what they do, dunno if they are sales or consultants..
        we shall see.. sorry it is taking so long n stuff..
        
        Cheers!
        
                Alberto Gonzalez
        
        Alberto Gonzalez
        EDS - Global Security Operations Center
        Security and Privacy Professional Services
        
        
        
        
        
        -----Original Message-----
        From: Erek Adams [mailto:erek () snort org]
        Sent: Thursday, February 06, 2003 10:32 AM
        To: Gary Hill
        Cc: Rodney Green; John Cherbini; Snort User Groups
        Subject: RE: [Snort-users] Catchall Rule
        
        
        On Thu, 6 Feb 2003, Gary Hill wrote:
        
        > I take it this rule wont capture non-tcp/udp/icmp traffic such as IPSEC!
        
        > Can you create a rule that looks at all IP traffic, rather then each
        > protocol on the top of it
        
        Sure.
        
        log ip any any -> $HOME_NET any;
        
        But traffic isn't always ip traffic....
        
        log icmp any any -> $HOME_NET any;
        log arp any any -> $HOME_NET any;
        
        (Ok, the last one is silly, but he said "all traffic". :)
        
        From what I'm getting, you want to snarf all the frames on the wire, then
        shove that into a DB.  If you do, be _sure_ to have acres of disk, and one
        helluva machine for the DB.  You might get better performance using
        Barnyard to spool the files.  If realtime isn't an issue, you might be
        better off with tcpdump and then using Snort to post process.
        
        Cheers!
        
        -----
        Erek Adams
        
           "When things get weird, the weird turn pro."   H.S. Thompson
        
        
        -------------------------------------------------------
        This SF.NET email is sponsored by:
        SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
        http://www.vasoftware.com
        _______________________________________________
        Snort-users mailing list
        Snort-users () lists sourceforge net
        Go to this URL to change user options or unsubscribe:
        https://lists.sourceforge.net/lists/listinfo/snort-users
        Snort-users list archive:
        http://www.geocrawler.com/redir-sf.php3?list=snort-users
        

N�HSDM隊X���'���u�����xZ+��'����+ح��� >.)��j+�
Previous By Date Next
Previous By Thread Next

Current thread: