[Snort-users] Alerts and packet capture - MYSQL

Erek Adams erek at ...950...
Mon May 19 16:22:04 EDT 2003

On Mon, 19 May 2003, Snow Jacob C KPWA wrote:

> I am using snort 2.0 to capture data based on a custom rule:
> alert tcp $HOME_NET any -> $EXTERNAL_NET :1024 (msg:"Syn
> Outbound";flags:S;tag:session,2,packets;)
> and logging this information to a MySQL database.  I then want to look
> through this data to see if a synack is sent back (aka a complete
> handshake/connection).  I am capturing additional packets as well.  When I
> try and view the additional packets in snort I am only getting the packet
> that triggers the rule not the extra packets that were captured.  Is there a
> way to view this information with acid or am I stuck doing it by hand.

Snort only logs the packts that match the rule.  This rule will only flag
outbound SYN's.  It won't help with returning SYNACKs.  You would need a
second rule to look for SYNACK with a 'flags:SA'.

> Also is there a way to right the rule such that it won't trigger if I don't
> get a synack back?

If I'm following this right, you want the above rule to alert if and only
if there is an outbound SYN followed by a returning SYNACK from the
destination IP of the SYN packet?  If so, then no.  That would be a job
better handled by a preprocessor.  Perhaps something similar to

> Does ACID already do this and I am missing something?  A little advice
> from the snort guru's and everyone else would be nice :-).

ACID is simply a way to view data.  It doesn't deal with rules, it simply
pulls data from the DB and displays it via PHP.

Hope that helps!

Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-users mailing list