[Snort-users] Using snort with pcap while alerting

honeybadger at ...15978... honeybadger at ...15978...
Tue Dec 4 12:51:38 EST 2012


Stupid spellchecker! I :-) 

Corrected topic. 

honeybadger at ...15978... wrote:

>Hey all, 
>
>I am trying to get my head how to script this. 
>
>I want a packet capture when SNORT alerts that a server is getting a
>UDP packet. 
>
>I know the rule is alert UDP any any - > serverip any. 
>
>PCAP does not seem able to do this, is there a way to script this in a
>local rule? 
>
>
>Snort Releases <snortreleases at ...950...> wrote:
>
>>Snort 2.9.4 is now available on snort.org, at
>>http://www.snort.org/snort-downloads/ in the Latest Release section.
>>
>>************
>>Please note:
>>2.9.3.1 & later packages are signed with a new PGP key
>>(that key is signed with the previous key).
>>************
>>
>>Snort 2.9.4 includes changes for the following:
>>
>>[*] New additions
>>
>>  * Consolidation of IPv6 -- now only a single build supports both
>>    IPv4 & IPv6, and removal of the IPv4 "only" code paths.
>>
>>  * File API and improvements to file processing for HTTP downloads
>>    and email attachments via SMTP, POP, and IMAP to facilitate
>>    broader file support
>>
>>  * Use of address space ID for tracking Frag & Stream connections
>>    when it is available with the DAQ
>>
>>  * Logging of packet data that triggers PPM for post-analysis via
>>    Snort event
>>
>>  * Decoding of IPv6 with PPPoE
>>
>> * Added an API call to add a service to a host in the attribute
>table.
>>    Remove the unused live attribute update code.
>>
>>[*] Improvements
>>
>>  * Update to Stream5 PAF for handling gaps in the sequence numbers of
>>    packets being reassembled.
>>
>>  * Selection of the Stream TCP policy based on the server rather than
>>    the destination of first packet seen by Snort
>>
>>  * Allow disabling of global thresholds via a count of -1
>>
>>  * Prevent blocking duplicate SYNs when using inline normalization
>>
>>  * Add SSLv3 backwards compatibility support for SSLv2 ClientHello
>>    messages
>>
>>  * Allow active responses to packets without data (eg, a TCP SYN)
>>
>>  * Changed logic of option evaluations for shared library rules that
>>    use a custom evaluation function to match that of the builtin
>logic
>>    when the NOT_FLAG is used.  The 'NOT' matching now happens within
>>    each of the individual rule option evaluation functions.
>>
>>  * Updated SMTP preprocessor to better handle commands that have
>>    corresponding data on a subsequent line to reduce false positives.
>>    3 commands fall into this category - X-EXPS, XEXCH50, and BDAT.
>>
>>  * Improve support for encapsulated & tunneling protocols to block or
>>    fastpath a connection within the tunnel rather applying that to
>>    the whole tunnel.
>>
>>Please see the Release Notes and ChangeLog for more details.
>>
>>Please submit bugs, questions, and feedback to bugs at ...10585...
>>
>>Happy Snorting!
>>The Snort Release Team
>>
>>
>>------------------------------------------------------------------------------
>>Keep yourself connected to Go Parallel: 
>>BUILD Helping you discover the best ways to construct your parallel
>>projects.
>>http://goparallel.sourceforge.net
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>Snort-users list archive:
>>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>>Please visit http://blog.snort.org to stay current on all the latest
>>Snort news!
>
>-- 
>Sent from my Android phone with K-9 Mail. Please excuse my brevity.
>
>------------------------------------------------------------------------
>
>------------------------------------------------------------------------------
>LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>Remotely access PCs and mobile devices and provide instant support
>Improve your efficiency, and focus on delivering more value-add
>services
>Discover what IT Professionals Know. Rescue delivers
>http://p.sf.net/sfu/logmein_12329d2d
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>Please visit http://blog.snort.org to stay current on all the latest
>Snort news!

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121204/3966e908/attachment.html>


More information about the Snort-users mailing list