Snort mailing list archives
Re: Re: Notification d'état de remise (échec)
From: Joel Esler <eslerj () gmail com>
Date: Tue, 7 Jun 2005 06:41:05 -0400
I'm not sure I understand your question. I think what you are aiming for is a rule to capture everything? that would be three rules alert tcp any any -> any any (msg:"TCP Capture";) alert udp any any -> any any (msg:"UDP Capture";) alert icmp any any -> any any (msg:"ICMP Capture";) However I would not recommend these sigs, as they will light your Snort IDS up like a christmas tree. On 6/6/05, Daniel Rocha <listas.dl () gmail com> wrote:
TCP PORTSCAN - log all packets?I am running snort 2.3.0 (Build 10) and in my snort.conf i enabled: "output log_tcpdump: tcpdump.log" to log in binary tcpdump mode. I am having a problem when i run a tcp portscan (and other types). I need to see all packets relative with the portscan in the log, and just two packets are logged, like: 16:13:10.119122 IP x > y: icmp 8: echo request seq 0 16:13:10.451484 IP x > y: raw 147 And the alert file show: [**] [1:469:3] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] 06/06-16:13:10.119122 x -> y ICMP TTL:48 TOS:0x0 ID:52088 IpLen:20 DgmLen:28 Type:8 Code:0 ID:2209 Seq:0 ECHO [Xref => http://www.whitehats.com/info/IDS162] [**] [122:1:0] (portscan) TCP Portscan [**] 06/06-16:13:10.451484 x -> y RAW TTL:0 TOS:0x0 ID:22633 IpLen:20 DgmLen:167 DF Anyone knows how can i log all packets?------------------------------------------------------- This SF.Net email is sponsored by: NEC IT Guy Games. How far can you shotput a projector? How fast can you ride your desk chair down the office luge track? If you want to score the big prize, get to know the little guy. Play to win an NEC 61" plasma display: http://www.necitguy.com/?r _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?listsnort-users------------------------------------------------------- This SF.Net email is sponsored by: NEC IT Guy Games. How far can you shotput a projector? How fast can you ride your desk chair down the office luge track? If you want to score the big prize, get to know the little guy. Play to win an NEC 61" plasma display: http://www.necitguy.com/?r _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?listsnort-users
-- Joel Esler BASE Project Lead http://sourceforge.net/projects/secureideas ------------------------------------------------------- This SF.Net email is sponsored by: NEC IT Guy Games. How far can you shotput a projector? How fast can you ride your desk chair down the office luge track? If you want to score the big prize, get to know the little guy. Play to win an NEC 61" plasma display: http://www.necitguy.com/?r _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Notification d'état de remise (échec) Daniel Rocha (Jun 06)
- Re: Re: Notification d'état de remise (échec) Joel Esler (Jun 07)