[Snort-users] How to dump a certain number of tcp packets (for TCPDUMP) when an alert is fired

Jason security at ...5028...
Mon Sep 6 14:32:03 EDT 2004


You still want log_tcpdump however you can create another output type 
for just the alerts you want to go into the tcpdump format file. You can 
create as many alert types as you would like for different files for 
different alerts... Just watch how they are ordered in the rare case you 
hit a dependency.

http://www.snort.org/docs/snort_manual/node16.html#SECTION00421000000000000000

Loch Theary wrote:

> Yes, I've tried that. But in this case, you do log all packets in
> tcpdump format and not only the selected rules. And doing so, I don't
> how many hard disks you will need for a big big network ! And If you
> want to investigate further for some alerts, you will have to deal
> with all alert ...
> 
> I'm wondering if there is other ways to deal with the tcpdump format
> than addinf the log_tcpdump directive in snort.conf.
> 
> -----Message d'origine----- De : Jason [mailto:security at ...5028...] 
> Envoyé : lundi 6 septembre 2004 17:07 À : Loch Theary Cc : Hart
> Clarence (rti1clh); emf at ...367...; 
> snort-users at lists.sourceforge.net Objet : Re: [Snort-users] How to
> dump a certain number of tcp packets (for TCPDUMP) when an alert is
> fired
> 
> 
> I think you need to remove logto from the rules and use this in
> snort.conf
> 
> http://www.snort.org/docs/snort_manual/node13.html#SECTION00345000000000000000
> 
> 
> Loch Theary wrote:
> 
> 
>> My respects all,
>> 
>> It's doesn't work even with the "logto" directive.
>> 
>> 
>> 
>>> These are my modified alert rule:
>> 
>> 
>>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
>>> (msg:"WEB-MISC cross site scripting attempt"; 
>>> flow:to_server,established; content:"<SCRIPT>"; nocase; 
>>> logto:"/snort/logs/suspicious.tcpdump"; tag:session,50,packets; 
>>> classtype:web-application-attack; sid:1497; rev:6;)
>> 
>> 
>>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
>>> (msg:"WEB-ATTACKS mail command attempt"; 
>>> flow:to_server,established; content:"/bin/mail"; nocase; 
>>> logto:"/snort/logs/suspicious.tcpdump"; tag:session,50,packets; 
>>> classtype:web-application-attack; sid:1366; rev:5;)
>> 
>> 
>>> I can determine what I am doing wrong ...
>> 
>> 
>> Anyone can help ?
>> 
>> Regards, Theary
>> 
>> -----Message d'origine----- De : Hart Clarence (rti1clh) 
>> [mailto:CHart at ...12386...] Envoyé : vendredi 3 septembre 2004 15:40 À :
>>  'emf at ...367...'; Loch Theary Cc : 
>> snort-users at lists.sourceforge.net Objet : RE: [Snort-users] How to 
>> dump a certain number of tcp packets (for TCPDUMP) when an alert is
>>  fired
>> 
>> 
>> If you use the alert tag where are the log files going to go? ( 
>> filenames /or database)
>> 
>> 
>> C
>> 
>> 
>> -----Original Message----- From: Erik Fichtner 
>> [mailto:emf at ...367...] Sent: Thursday, September 02, 2004
>> 12:55 PM To: Loch Theary Cc: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] How to dump a certain number of tcp
>> packets (for TCPDUMP) when an alert is fired
>> 
>> 
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On Thu, Sep 02, 2004 at 05:05:02PM +0200, Loch Theary wrote:
>> 
>> 
>>> Could you please tell me how to log a certain number of packets 
>>> when an alert is fired (tcp dump format) ?
>> 
>> 
>> "tag:session,${NUMBER},packets;"
>> 
>> - -- Erik Fichtner Principal Engineer, Information Security, 
>> ServerVault Corp. 703-652-5900 -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.0.7 (FreeBSD)
>> 
>> iD8DBQFBN1BXQ7EzrewLMS0RAo44AKDAQNM0GLBXm871a181TEspE0gdvwCgu8fk 
>> DM4p3ty2fTBlymbrsqyv5tA= =SBUM -----END PGP SIGNATURE-----
>> 
>> 
>> ------------------------------------------------------- This SF.Net
>>  email is sponsored by BEA Weblogic Workshop FREE Java Enterprise
>> J2EE developer tools! Get your free copy of BEA WebLogic Workshop
>> 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
>>  _______________________________________________ Snort-users
>> mailing list Snort-users at lists.sourceforge.net Go to this URL to
>> change user options or unsubscribe: 
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive: 
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> 
>> ------------------------------------------------------- This SF.Net
>>  email is sponsored by BEA Weblogic Workshop FREE Java Enterprise
>> J2EE developer tools! Get your free copy of BEA WebLogic Workshop
>> 8.1 today. http://ads.osdn.com/?ad_idP47&alloc_id808&op=click 
>> _______________________________________________ Snort-users mailing
>>  list Snort-users at lists.sourceforge.net Go to this URL to change
>> user options or unsubscribe: 
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=ort-users
>> 
> 
> 
> 





More information about the Snort-users mailing list