[Snort-users] Need to log FULL packets

Matt Kettler mkettler at ...4108...
Wed Mar 13 15:26:12 EST 2002


True, tagging may be useful to grab all of the follow-on packets from the 
same host. Heck, if he can figure out that the unusual UDP packets are 
always coming from the same machine he could even use tcpdump (which is 
probably the better tool if your only interest is capturing all the traffic 
matching a very simple profile):

tcpdump -x -s 1500 host xx.xx.xx.xx proto udp

and if he can narrow it down to one port:
tcpdump -x -s 1500 host xx.xx.xx.xx proto udp port yy



Also, Junaidi  next time try to put your message text above the "Matt 
Kettler wrote:" bit or leave that line out entirely. This message it makes 
it look like you are quoting me talking about tagging, which you are not, 
my quote begins under that :)

At 06:04 AM 3/14/2002 +0800, Junaidi Bin Sapari wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On Thursday 14 March 2002 02:59, Matt Kettler wrote:
>
>Snort is able to do tagging. This is based on the rule which is triggered.
>Once a rule is triggered, all the traffic involving the source host is
>logged. Below is one of my example, so just apply the same for which
>particular rules you want.
>(from web-iis.rules)
>alert tcp $EXTERNAL_NET any -> $IIS_SERVERS 80 (msg:"WEB-IIS cmd.exe access";
>flags: A+; content:"cmd.exe"; nocase; classtype:web-application-attack;
>sid:1002; rev:2; tag: host, 300, packets, src;)





More information about the Snort-users mailing list