[Snort-sigs] Output Offending packet on Alarm

zaire zaire at ...347...
Mon Apr 15 21:33:02 EDT 2002


Check out the tag option in snorts faq.

A good example of this might be something like so:

alert ip $HOME_NET  any -> $EXTERNAL_NET  any (msg:"OUTGOING SHELLCODE
sparc NOOP"; content:"|a61c c013 a61c c013 a61c c013 a61c c013|";tag:
host,90,seconds, dst;  reference:arachnids,355;
classtype:shellcode-detect; sid:646; rev:2;)

If you start your snort up so it logs to a binary file and like so you can
write your packets to a binary file for future playback.


A good way to do this might be snort -b -L snort.log

Hope this helps you out.


-z
On Sun, 14 Apr 2002, undercoffer wrote:

> In addition to an alarm I would like to write the offending packet(s) from a
> tcpdump file to a separate file.
>
> Can I do this via the SNORT rules or do I need to make some programmatic
> modification.  If it is a rule, can anyone offer me an example, if
> programmatically can anyone offer me some advice?
>
> Thanks in Advance.
>
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>





More information about the Snort-sigs mailing list