Snort mailing list archives
Re: How to know what is "any" ip address???
From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 05 Feb 2015 09:31:10 -0500
On 2/4/2015 1:04 AM, zT wrote:
thanks so much, but this file is unreadable . can this be store in ASCII format?
no... it is the actual binary packet from the network... you need to use a tool like wireshark or tcpdump to be able to read the contents... ALSO: please read and follow my signature... *keep list traffic on the list*... i do not provide private assistance without a signed prepaid contract... thank you...
On Wed, Feb 4, 2015 at 6:17 AM, waldo kitty <wkitty42 () windstream net <mailto:wkitty42 () windstream net>> wrote: On 2/2/2015 8:11 AM, zT wrote: > hello all i use > alert tcp any any -> any any (msg:"network found in packet content!!!"; > content:"network"; sid:10000; ) > when snort find a packet with FB content i want to which ip address this packet > is comes from (ip header of packet) and store this packet( it content and > headers) in a file. > how can do this ? by default, if you haven't changed the output stuff, snort puts this information in the captured pcap file named snort.log.xxxxxxxxxx that is active at the time the alert was fired... there's one snort.log.xxxxxxxxxx pcap file active for each execution of snort...
--
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- [Snort-users] How to know what is "any" ip address??? zT (Feb 02)
- Re: How to know what is "any" ip address??? Jack Pepper (Feb 02)
- Re: How to know what is "any" ip address??? zT (Feb 02)
- Re: How to know what is "any" ip address??? zT (Feb 02)
- Re: How to know what is "any" ip address??? zT (Feb 02)
- Re: How to know what is "any" ip address??? waldo kitty (Feb 03)
- Message not available
- Re: How to know what is "any" ip address??? waldo kitty (Feb 05)
- Message not available
- Re: How to know what is "any" ip address??? Jack Pepper (Feb 02)