[Snort-users] Alerts and packet capture - MYSQL

Erek Adams erek at ...950...
Mon May 19 16:22:04 EDT 2003


On Mon, 19 May 2003, Snow Jacob C KPWA wrote:

> I am using snort 2.0 to capture data based on a custom rule:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET :1024 (msg:"Syn
> Outbound";flags:S;tag:session,2,packets;)
>
>
>
> and logging this information to a MySQL database.  I then want to look
> through this data to see if a synack is sent back (aka a complete
> handshake/connection).  I am capturing additional packets as well.  When I
> try and view the additional packets in snort I am only getting the packet
> that triggers the rule not the extra packets that were captured.  Is there a
> way to view this information with acid or am I stuck doing it by hand.

Snort only logs the packts that match the rule.  This rule will only flag
outbound SYN's.  It won't help with returning SYNACKs.  You would need a
second rule to look for SYNACK with a 'flags:SA'.

> Also is there a way to right the rule such that it won't trigger if I don't
> get a synack back?

If I'm following this right, you want the above rule to alert if and only
if there is an outbound SYN followed by a returning SYNACK from the
destination IP of the SYN packet?  If so, then no.  That would be a job
better handled by a preprocessor.  Perhaps something similar to
portscan(2)....


> Does ACID already do this and I am missing something?  A little advice
> from the snort guru's and everyone else would be nice :-).

ACID is simply a way to view data.  It doesn't deal with rules, it simply
pulls data from the DB and displays it via PHP.

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list