[Snort-sigs] Output Offending packet on Alarm
zaire at ...347...
Mon Apr 15 21:33:02 EDT 2002
Check out the tag option in snorts faq.
A good example of this might be something like so:
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"OUTGOING SHELLCODE
sparc NOOP"; content:"|a61c c013 a61c c013 a61c c013 a61c c013|";tag:
host,90,seconds, dst; reference:arachnids,355;
classtype:shellcode-detect; sid:646; rev:2;)
If you start your snort up so it logs to a binary file and like so you can
write your packets to a binary file for future playback.
A good way to do this might be snort -b -L snort.log
Hope this helps you out.
On Sun, 14 Apr 2002, undercoffer wrote:
> In addition to an alarm I would like to write the offending packet(s) from a
> tcpdump file to a separate file.
> Can I do this via the SNORT rules or do I need to make some programmatic
> modification. If it is a rule, can anyone offer me an example, if
> programmatically can anyone offer me some advice?
> Thanks in Advance.
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs