[Snort-users] rule that captures every packet

Truax, Shawn (MBS) Shawn.Truax at ...8509...
Tue Sep 14 05:58:47 EDT 2004

Hi snort user,

You might be already doing this but make sure you have some sort of back end
processor for the rules like Mudpit or barnyard running.  Depending on your
traffic you may get too many alerts and overload the system.  If memory
serves (and someone else here might know better) but a "shadow box" might be
the better way to go and couple the two together.  A shadow box will capture
every packet and store it for you.  I haven't set one up my self but a
colleague in the office tells me you can do some custom configurations and
alerting with shadow.  Hope that helps some for the future.

Shawn Truax
Sr. Security Specialist
Corporate Security
155 University Ave.
Toronto, Ontario
M5H 3B7

-----Original Message-----
From: Matt Kettler [mailto:mkettler at ...4108...]
Sent: September 13, 2004 7:25 PM
To: snort user
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] rule that captures every packet

At 04:59 PM 9/13/2004, snort user wrote:
>i want to write a rule that captures every packet. i want to use this to 
>enter the code where pattern matching is done in the function 
>CheckANDPatternMatch. Any help would be appreciated.

alert ip any any -> any any

This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM. 
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040914/d1c2ddd7/attachment.html>

More information about the Snort-users mailing list