[Snort-users] Re: Notification d' état de remise (échec)

Joel Esler eslerj at ...11827...
Tue Jun 7 03:41:56 EDT 2005


I'm not sure I understand your question.  I think what you are aiming
for is a rule to capture everything?

that would be three rules

alert tcp any any -> any any (msg:"TCP Capture";)
alert udp any any -> any any (msg:"UDP Capture";)
alert icmp any any -> any any (msg:"ICMP Capture";)

However I would not recommend these sigs, as they will light your
Snort IDS up like a christmas tree.

On 6/6/05, Daniel Rocha <listas.dl at ...11827...> wrote:
>           TCP PORTSCAN - log all packets?
> > > I am running snort 2.3.0 (Build 10) and in my snort.conf i enabled:
> > > "output log_tcpdump: tcpdump.log" to log in binary tcpdump mode.
> > >
> > > I am having a problem when i run a tcp portscan (and other types). I
> > > need to see all packets relative with the portscan in the log, and
> > > just two packets are logged, like:
> > >
> > > 16:13:10.119122 IP x > y: icmp 8: echo request seq 0
> > > 16:13:10.451484 IP x > y:  raw 147
> > >
> > > And the alert file show:
> > >
> > > [**] [1:469:3] ICMP PING NMAP [**]
> > > [Classification: Attempted Information Leak] [Priority: 2]
> > > 06/06-16:13:10.119122 x -> y
> > > ICMP TTL:48 TOS:0x0 ID:52088 IpLen:20 DgmLen:28
> > > Type:8  Code:0  ID:2209   Seq:0  ECHO
> > > [Xref => http://www.whitehats.com/info/IDS162]
> > >
> > > [**] [122:1:0] (portscan) TCP Portscan [**]
> > > 06/06-16:13:10.451484 x -> y
> > > RAW TTL:0 TOS:0x0 ID:22633 IpLen:20 DgmLen:167 DF
> > >
> > > Anyone knows how can i log all packets?
> > >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
> > a projector? How fast can you ride your desk chair down the office luge track?
> > If you want to score the big prize, get to know the little guy.
> > Play to win an NEC 61" plasma display: http://www.necitguy.com/?r
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?listsnort-users
> >
> >
> >
> >
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
> a projector? How fast can you ride your desk chair down the office luge track?
> If you want to score the big prize, get to know the little guy.
> Play to win an NEC 61" plasma display: http://www.necitguy.com/?r
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?listsnort-users
> 


-- 
Joel Esler
BASE Project Lead
http://sourceforge.net/projects/secureideas




More information about the Snort-users mailing list