[Snort-devel] TCPDUMP - logging traffic from an attacker

Robert Wagner rwagner at ...1225...
Wed Mar 27 08:22:02 EST 2002


I am new to this list, I have browsed the archive, but cannot find this kind
of information.  

I am interested in capturing traffic to and from an attacker following an
attack.

Example:
Sort identifies a "WEB-IIS cmd.exe access" attack from attacker A against my
web server B.  I would like this to trigger a TCPDUMP -X or snort -X dump
(capture the entire packet, in Hex and Ascii) for the next X packets (or
some timeout variable) coming or going to attacker A.

This would enable me to see if an attack was successful and what happened.
I could also see how my server responded and research if some vulnerability
might exists.  This would be helpful during a probe where the attacker is
just gathering information.

I admit not being a heavy programmer, so any assistance would be helpful.

I would like to setup one of the following:

1)  An "output TCP_DUMP Count# Time#"  That would append the log generated
by snort for the attacker with the next Count# packets or packets to or from
the attacker in Time# seconds

2)  An "output program.pl"  a generic output that would allow me to run
program.pl (or shell script) that allows me to setup TCPDUMP however I wish.
This would need to feed variables like Source IP, Source Port, Destination
IP, Destination Port, Priority, Interface

I thought about using Guardian, but I fear the delay in passing the
information to syslog, back out to guardian, then run an external script may
be slow enough to miss some packets.

Please let me know your thoughts
Thanks in advance for any assistance






More information about the Snort-devel mailing list