[Snort-users] Using snort with paper while alerting

honeybadger at ...15978... honeybadger at ...15978...
Tue Dec 4 12:31:03 EST 2012

Hey all, 

I am trying to get my head how to script this. 

I want a packet capture when SNORT alerts that a server is getting a UDP packet. 

I know the rule is alert UDP any any - > serverip any. 

PCAP does not seem able to do this, is there a way to script this in a local rule? 

Snort Releases <snortreleases at ...950...> wrote:

>Snort 2.9.4 is now available on snort.org, at
>http://www.snort.org/snort-downloads/ in the Latest Release section.
>Please note:
> & later packages are signed with a new PGP key
>(that key is signed with the previous key).
>Snort 2.9.4 includes changes for the following:
>[*] New additions
>  * Consolidation of IPv6 -- now only a single build supports both
>    IPv4 & IPv6, and removal of the IPv4 "only" code paths.
>  * File API and improvements to file processing for HTTP downloads
>    and email attachments via SMTP, POP, and IMAP to facilitate
>    broader file support
>  * Use of address space ID for tracking Frag & Stream connections
>    when it is available with the DAQ
>  * Logging of packet data that triggers PPM for post-analysis via
>    Snort event
>  * Decoding of IPv6 with PPPoE
> * Added an API call to add a service to a host in the attribute table.
>    Remove the unused live attribute update code.
>[*] Improvements
>  * Update to Stream5 PAF for handling gaps in the sequence numbers of
>    packets being reassembled.
>  * Selection of the Stream TCP policy based on the server rather than
>    the destination of first packet seen by Snort
>  * Allow disabling of global thresholds via a count of -1
>  * Prevent blocking duplicate SYNs when using inline normalization
>  * Add SSLv3 backwards compatibility support for SSLv2 ClientHello
>    messages
>  * Allow active responses to packets without data (eg, a TCP SYN)
>  * Changed logic of option evaluations for shared library rules that
>    use a custom evaluation function to match that of the builtin logic
>    when the NOT_FLAG is used.  The 'NOT' matching now happens within
>    each of the individual rule option evaluation functions.
>  * Updated SMTP preprocessor to better handle commands that have
>    corresponding data on a subsequent line to reduce false positives.
>    3 commands fall into this category - X-EXPS, XEXCH50, and BDAT.
>  * Improve support for encapsulated & tunneling protocols to block or
>    fastpath a connection within the tunnel rather applying that to
>    the whole tunnel.
>Please see the Release Notes and ChangeLog for more details.
>Please submit bugs, questions, and feedback to bugs at ...10585...
>Happy Snorting!
>The Snort Release Team
>Keep yourself connected to Go Parallel: 
>BUILD Helping you discover the best ways to construct your parallel
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
>Please visit http://blog.snort.org to stay current on all the latest
>Snort news!

Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121204/c5b9c8a6/attachment.html>

More information about the Snort-users mailing list