Re: Capturing incoming packets?

[Erek Adams <erek () snort org>]

On Sat, 14 Jun 2003 guano () hackerfactor com wrote:

[...snip...]

> Thus, snort will capture exactly half of this session.
>
> Since the entire session was initiated by <IP>, I want the entire
> session filtered.  Not just the requests, but the replies as well.
> Any snort option that does not take session-tracking into account will
> be unable to do this.
>
> Is there a method for snort to capture everything that is not part of
> a session initiated by <IP>?

What you are trying to do isn't really as easy as it seems.  Basically,
you're wanting Snort to grab all incoming packets that aren't in response
to an initiated connection.  If that's correct then I don't know of any
way for it to be done.  There's not a plugin that does that, and stream4
can hansdle the streams part but it doesn't really track the state in that
way.  You could use "flow: to_server, established" and tag some of the
packets, but that's still not going to do exactly what you want.  You
might want to try to log everything to a pcap, and using a fairly complex
bpf statement to filter out what you don't want to see.  Then you could
run the resulting file back thru Snort and alert on the odd events.
That's still not going to be exactly what you want...

:(  Wish I could give you a better answer, but I just don't have any idea
on how that could be done.  Anyone else?

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users