[Snort-users] Rule to monitor a specific port

Martin Roesch roesch at ...421...
Tue Oct 24 21:48:33 EDT 2000


Try this:

var THE_IP <your IP here>
var THE_PORT <your port here>

log tcp any any -> $THE_IP $THE_PORT

Run Snort in binary logging mode with a -b switch like this:

snort -c rules -l <logdir> -b -A <alertmode>

Alternatively, you can tell Snort to log everything and filter for exactly
what with the BPF interface:

snort -l <logdir> -b port foo and \(host x or host y or host z\)

Something like that.

    -Marty

Jason Boyer wrote:
> 
> Trying to setup a rule to monitor a specific port. I would like to be
> able to record all traffic to a specific port on a network or a set of
> specific machines. A couple of my attempts catch some traffic but not
> all. Any ideas?
> 
> Thanks,
> 
> Jason
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list