[Snort-users] Understanding how to setup snort...

Hicks, John JHicks at ...5857...
Wed Dec 11 11:08:07 EST 2002


Try this is a rule:

log tcp $AIM_SERVERS any <-> $HOME_NET any (MSG: "AIM Packet";)

Since the AIM servers are a variable in the newer snort it makes it very
easy to tracce *all* traffic to/from the known servers.

HTH,
John

-----Original Message-----
From: Andy Monroe [mailto:aim at ...7683...]
Sent: Thursday, December 05, 2002 3:42 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Understanding how to setup snort...


I read the snort manual, but it simply is not clicking with me.  The
only thing I want to use snort for is to search AIM traffic for specific
keywords (as in illicit activity).  I have found this rule from the
mailing list:

 log tcp any any -> any any (msg: "AIM packet";
    content:"|2A 02|"; depth:2; flags:AP+;
    classtype:not-suspicious;priority:0;)

How do I go about logging all the AIM trafic?  First off, it looks like
the above rule will NOT log the content.  Doesn't the rule also need to
have "session: printable;"? 

Second, I don't understand the role that the snort.conf plays in things.
The only thing I want to do is run snort in packet logger mode to search
the AIM packes, nothing else.  Can someone either point me to some info
that can guide me in this quest?  Or simply enlighten me?

Andy


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list