Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tag:host

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Wed, 15 Apr 2015 21:09:35 +0000
Hello Qiao,

Do you want to just capture "interesting traffic" (alert) or ALL traffic from src and destination after the initial 
alert as well?

Tagging allows you to log any other traffic between those hosts for a specified time or packet count after the initial 
alert.

For the logging you have several output formats to choose from.


Section on tagging: http://manual.snort.org/node34.html#SECTION00475000000000000000

Section on logging: http://manual.snort.org/node21.html


Hope this helps!


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Xin, Qiao [mailto:qxin () cio sc gov]
Sent: Wednesday, April 15, 2015 1:54 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] tag:host

Hi,

I have a question on how the tag:host works. I have a rule based on the content of the packet as

alert udp $HOME_NET any -> any any (msg:"suspicious traffic--";content:"bad content";nocase; tag:host, 60, packets, 
dst; classtype:bad-unknown;sid:1000001;rev:0;)

I want to capture traffic of coming from any HOME_NET host to the destination IP in the alert packets.
Will "tag:host" and the "dst" option work?
If it works, in which file will the captured packets by the tag:host be stored?
How can we easily associate the packets captured by the tag:host action with the packets captured by the snort alert?

Thanks,
Qiao
-------------------





------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: