Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tag:host

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Thu, 16 Apr 2015 01:02:45 +0000
Yes.

Please review the section on tagging as it explains how to set up tagging on source, destination or session.


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Xin, Qiao [mailto:qxin () cio sc gov]
Sent: Wednesday, April 15, 2015 6:55 PM
To: Al Lewis (allewi)
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] tag:host

Hi Al,

Thank for the reply.
I understand tagging will log other traffics between the source and destination IPs.
Can tagging log traffics from a host other than the source IP to the destination IP? Or can it log traffics from the 
source IP to a host other than the destination IP?

Thanks again?
Qiao

On Apr 15, 2015, at 5:09 PM, Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>> wrote:
Hello Qiao,

Do you want to just capture "interesting traffic" (alert) or ALL traffic from src and destination after the initial 
alert as well?

Tagging allows you to log any other traffic between those hosts for a specified time or packet count after the initial 
alert.

For the logging you have several output formats to choose from.


Section on tagging: http://manual.snort.org/node34.html#SECTION00475000000000000000

Section on logging: http://manual.snort.org/node21.html


Hope this helps!


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Xin, Qiao [mailto:qxin () cio sc gov]
Sent: Wednesday, April 15, 2015 1:54 PM
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: [Snort-users] tag:host

Hi,

I have a question on how the tag:host works. I have a rule based on the content of the packet as

alert udp $HOME_NET any -> any any (msg:"suspicious traffic--";content:"bad content";nocase; tag:host, 60, packets, 
dst; classtype:bad-unknown;sid:1000001;rev:0;)

I want to capture traffic of coming from any HOME_NET host to the destination IP in the alert packets.
Will "tag:host" and the "dst" option work?
If it works, in which file will the captured packets by the tag:host be stored?
How can we easily associate the packets captured by the tag:host action with the packets captured by the snort alert?

Thanks,
Qiao
-------------------





------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: