[Snort-users] newbie ? about tcp packet collection for specific ip
cjnorton at ...11748...
Mon May 3 08:12:06 EDT 2004
Before I spend too much time playing around with snort, I wonder if someone can confirm whether snort would meet my needs for a specific application. I need a non-interactive process which will monitor small network at company to intercept tcp traffic going to a printer. This process would run continuously, but once the tcp printer traffic is detected a different program would be initiated to process data.
Currently I have been playing with a perl script which continously executes tethereal every 60 sec and I process log for data of interest.
tethereal.exe -f "dst 126.96.36.199" -a duration:60 -w outfile
I wondered if I could use snort and create a specific rule file for tcp traffic (maybe to include only tcp port 515 packets)? My expectation is the log file would only be created when tcp traffic to printer occurs, and the content of tcp stream is present in log. If I could start snort in daemon mode and have it constantly append to log, then I could have another program running which monitors log and when new data is present, processes the data.
Please confirm is snort could work in this manner, and if so can you provide the correct syntax for snort and rule using detail I provided above. Any suggestions are appreciated. THANKS!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users