[Snort-users] Fw: Snort Malicious Traffic Redirection to other IP

mehrdad hajizadeh mehrdad_richman at ...131...
Thu Apr 2 08:19:04 EDT 2015


Actually, Im working on this solution  whenever alert triggered snort should log malicious in pcap format and save it in destination machine (or a software try to make socket and send).
But the problem is that in the destination we would need to read this pcap data in offline mode.(I think it may not optimum solution) 
Is there any possibility in snort that whenever alert triggered uses firewall capability in order to forward traffic flow to the new destination in real time mode ? (or even is it possible to execute a script as an action in snort  after trigger)
Any other idea?suggestion?
Tnx 


 


     On Wednesday, April 1, 2015 12:28 PM, Al Lewis (allewi) <allewi at ...16686......> wrote:
   

 #yiv8258398872 #yiv8258398872 -- _filtered #yiv8258398872 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv8258398872 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv8258398872 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv8258398872 {font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4 2 4;} _filtered #yiv8258398872 {font-family:Candara;panose-1:2 14 5 2 3 3 3 2 2 4;} _filtered #yiv8258398872 {font-family:Georgia;panose-1:2 4 5 2 5 4 5 2 3 3;} _filtered #yiv8258398872 {panose-1:0 0 0 0 0 0 0 0 0 0;}#yiv8258398872 #yiv8258398872 p.yiv8258398872MsoNormal, #yiv8258398872 li.yiv8258398872MsoNormal, #yiv8258398872 div.yiv8258398872MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:12.0pt;}#yiv8258398872 a:link, #yiv8258398872 span.yiv8258398872MsoHyperlink {color:blue;text-decoration:underline;}#yiv8258398872 a:visited, #yiv8258398872 span.yiv8258398872MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv8258398872 span {}#yiv8258398872 span.yiv8258398872EmailStyle18 {color:#1F497D;}#yiv8258398872 .yiv8258398872MsoChpDefault {font-size:10.0pt;} _filtered #yiv8258398872 {margin:1.0in 1.0in 1.0in 1.0in;}#yiv8258398872 div.yiv8258398872WordSection1 {}#yiv8258398872 Have you tried capturing the traffic (in pcap format) and then using that (replaying it)  for analysis on another machine?    Albert Lewis QA Software Engineer SOURCEfire, Inc.now part of Cisco 9780 Patuxent Woods Drive
Columbia, MD 21046  Phone: (office) 443.430.7112 Email:allewi at ...979...589...     From: mehrdad hajizadeh [mailto:mehrdad_richman at ...3112......]
Sent: Wednesday, April 01, 2015 1:53 AM
To: Snort-users at lists.sourceforge.net
Subject: [Snort-users] Fw: Snort Malicious Traffic Redirection to other IP    Actually, in this special case I wanna separate and send malicious traffic for further analysis in other machine  (honeypot machine or get DPI service from central DPI machine).          On Tuesday, March 31, 2015 4:47 PM, Joel Esler (jesler) <jesler at ...589...> wrote:    Why not put Snort inline and drop the malicious traffic totally?    --
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos Group    
On Mar 31, 2015, at 1:17 AM, mehrdad hajizadeh <mehrdad_richman at ...131...> wrote:       Hello All,    I was wondering if somebody help me , how I can redirect malicious traffic to the other IP or host with Snort. Is it possible in snort to redirect specific traffic (the traffic which is matched with snort attack signature ) to the one specific computer? I just wanna to separate malicious traffic with normal traffic by snort.. Tnx in advance    ------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news! 
      

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150402/d93b69c0/attachment.html>


More information about the Snort-users mailing list