[Snort-users] capturing a suspisous traffic stream

Martin Roesch roesch at ...1935...
Mon Oct 22 16:51:01 EDT 2001


Snort can mostly do this with tags and stream4.  Write a rule like this:

alert tcp any any -> $HOME_NET 80   \
	(content: "cmd.exe";        \
	msg: "WEB cmd.exe request"; \
	tag: session, 300, seconds;)

and it'll capture the next 300 seconds worth of this session.  If you're
running stream4 and logging in -b mode, it'll also cause stream4 to dump
out the packet cache for that session when it detects the alert has gone
off, which will record some limited information about what came before
the attack packet as well (in build 81 and higher).

Not quite 100%, but getting there...

     -Marty


phillip mawson wrote:
> 
> Hi all
> 
> I'm a new snort user and have a question about capturing suspicious
> data.
> 
> Can snort be used to capture a stream of data that appears malicious?
> 
> By stream I mean the whole conversation between client and server not
> just the offending packet.
> 
> For example:
> 
> You have snort set in IDS mode.
> 
> A rule set to alert on the "cmd.exe" string and log the offending
> packet.
> 
> The offending packet by itself may not give you enough information of
> identify if the scan is a false positive or not so you want to be able
> to log the entire conversation, part of it being the packet containing
> the "cmd.exe" string.
> 
> Can anyone think of ways to achieve this?
> 
> To me this seams like a stateful feature that might be achievable with
> stream4???
> 
> 
> 
> 
> 
> thanks
> 
> 
> 
> Phill
> 
> ----------------------------------------------------------------------
> Get your FREE download of MSN Explorer at http://explorer.msn.com
> _______________________________________________ Snort-users mailing
> list Snort-users at lists.sourceforge.net Go to this URL to change user
> options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users
> list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...1935... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-users mailing list