[Snort-users] snort wishlist

Todd Ransom TRansom at ...197...
Thu Aug 24 08:37:54 EDT 2000


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It would be nice if I could tell snort to log all traffic to/from a
particular host after a certain event.  For example, consider a rule
like this (straight out of vision.conf):

alert UDP $EXTERNAL any -> $INTERNAL 137 (msg:
"IDS177/netbios-name-query"; content:
"CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|00 00|";)

I want to know what happened next.  How did my server respond?  What
else did the attacker do?  This could be done with the addition of a
logfor keyword, which would mean log all traffic between these two
hosts for x seconds.  Something like this:

alert UDP $EXTERNAL any -> $INTERNAL 137 (msg:
"IDS177/netbios-name-query"; content:
"CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|00 00|"; logfor:300;)

would log all traffic between these 2 for the next 5 minutes. 
Thoughts?

TR

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOaUXPUzpIYNEIIK4EQJz2gCgxXORT/vo448ai/b/9qWgInM2w1sAoL2s
otZ0ovYUKrJTkyF/iZL4btJe
=VX6X
-----END PGP SIGNATURE-----



More information about the Snort-users mailing list