Snort mailing list archives
Re: Rules Question
From: "Jon Baer" <security () jonbaer net>
Date: Wed, 6 Aug 2003 11:37:18 -0700
you could try logging the traffic/alerts with the session keyword: log tcp any any -> 192.168.1.0/24 $PORT (session: all;) alert tcp any any -> 192.168.1.0/24 $PORT (session: all;) not sure if that will help in ur case ... - jon pgp key: http://www.jonbaer.net/jonbaer.asc fingerprint: F438 A47E C45E 8B27 F68C 1F9B 41DB DB8B 9A0C AF47 ----- Original Message ----- From: "Erek Adams" <erek () snort org> To: "Stevo" <checkpoint () ozbergs com> Cc: <snort-users () lists sourceforge net> Sent: Wednesday, August 06, 2003 7:59 AM Subject: Re: [Snort-users] Rules Question
On Tue, 5 Aug 2003, Stevo wrote:I'm creating some new rules to use... I'm looking for certain keywords in packets and have got the rule working, but I'm interested in seeing more of the Payload... right now I'm just getting the line that includes that keyword... how can I tell ACID to show me 10 lines on either side of the keyword for example??You can't. It's not a function of ACID. Snort fires an alert. That alert contains all the packet data, but ONLY for the single packet that created the alert. No more. You'd need to capture the packets before and after the one that triggered the alert. You can use tagging to do that (sorta), but only from _that_ point. If the alert triggers on packet X, then you could tag packets X + Z, but not X - Z. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rules Question Stevo (Aug 05)
- Re: Rules Question Stevo (Aug 05)
- Re: Rules Question Jon Baer (Aug 05)
- Re: Rules Question Erek Adams (Aug 06)
- Re: Rules Question Jon Baer (Aug 06)
- Re: Rules Question Stevo (Aug 06)
- Re: Rules Question Erek Adams (Aug 06)
- <Possible follow-ups>
- RE: Rules Question Nelson, Ben (Aug 05)
- RE: Rules Question Nelson, Ben (Aug 05)
- Re: Rules Question Stevo (Aug 05)