[Snort-users] newbie ? about tcp packet collection for specific ip

sgt_b sgt_b at ...11733...
Mon May 3 10:40:13 EDT 2004


Why not just use a packet sniffer for this purpose. It seems that 
tcpdump (or windump) would fit this need perfectly. Just use `tcpdump 
-nvXs 0 -w logfile.log host <host> and tcp port 515'. That would capture 
all traffic to that host destined for port 515.
That being said, snort can be used in "sniffer" mode as well, and write 
the output to a log file. The same bpf filter mentioned above could be 
used along with snort: `snort -D -d -l <logging directory> host <host> 
and tcp port 515'. This would put snort in daemon mode, and log all 
packets destined for your host on tcp port 515. You may have to add 
addition flags to snort to get the output you desire of course.

Hope this helps!
sgt_b

Janet Norton wrote:

> Before I spend too much time playing around with snort, I wonder if 
> someone can confirm whether snort would meet my needs for a specific 
> application.  I need a non-interactive process which will monitor 
> small network at company to intercept tcp traffic going to a 
> printer.  This process would run continuously, but once the tcp 
> printer traffic is detected a different program would be initiated to 
> process data.
>  
> Currently I have been playing with a perl script which continously 
> executes tethereal every 60 sec and I process log for data of interest.
> tethereal.exe -f "dst 149.59.152.28" -a duration:60 -w outfile
>  
> I wondered if I could use snort and create a specific rule file for 
> tcp traffic (maybe to include only tcp port 515 packets)?  My 
> expectation is the log file would only be created when tcp traffic to 
> printer occurs, and the content of tcp stream is present in log.  If I 
> could start snort in daemon mode and have it constantly append to log, 
> then I could have another program running which monitors log and when 
> new data is present, processes the data. 
>  
> Please confirm is snort could work in this manner, and if so can you 
> provide the correct syntax for snort and rule using detail I provided 
> above.  Any suggestions are appreciated.  THANKS!






More information about the Snort-users mailing list