Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: newbie ? about tcp packet collection for specific ip

From: sgt_b <sgt_b () security-forums com>
Date: Mon, 03 May 2004 12:38:55 -0500
Why not just use a packet sniffer for this purpose. It seems that tcpdump (or windump) would fit this need perfectly. Just use `tcpdump -nvXs 0 -w logfile.log host <host> and tcp port 515'. That would capture all traffic to that host destined for port 515. That being said, snort can be used in "sniffer" mode as well, and write the output to a log file. The same bpf filter mentioned above could be used along with snort: `snort -D -d -l <logging directory> host <host> and tcp port 515'. This would put snort in daemon mode, and log all packets destined for your host on tcp port 515. You may have to add addition flags to snort to get the output you desire of course. 

Hope this helps!
sgt_b

Janet Norton wrote:
Before I spend too much time playing around with snort, I wonder if someone can confirm whether snort would meet my needs for a specific application. I need a non-interactive process which will monitor small network at company to intercept tcp traffic going to a printer. This process would run continuously, but once the tcp printer traffic is detected a different program would be initiated to process data. Currently I have been playing with a perl script which continously executes tethereal every 60 sec and I process log for data of interest. 
tethereal.exe -f "dst 149.59.152.28" -a duration:60 -w outfile
I wondered if I could use snort and create a specific rule file for tcp traffic (maybe to include only tcp port 515 packets)? My expectation is the log file would only be created when tcp traffic to printer occurs, and the content of tcp stream is present in log. If I could start snort in daemon mode and have it constantly append to log, then I could have another program running which monitors log and when new data is present, processes the data. Please confirm is snort could work in this manner, and if so can you provide the correct syntax for snort and rule using detail I provided above. Any suggestions are appreciated. THANKS! 




-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: