[Snort-users] custom snort rule for packet capture

Le CON matty_condon at ...125...
Thu Dec 10 17:10:53 EST 2015

Hey guys.,
so what I want to do is have custom rules which both a) updates the normal way via unified2 which is then passed to a db via by2 && b) dump those packets.
so basically if a known bad IP hits I want to know about it, and also get a full packet capture dump. BUT I dont want 3,000 alerts for the 3000 packets - I want 1 alert or 1 alert per 5 minutes letting me know that we got touched by badness and packets are being dumped.
heres what I had -
 ruletype sensitive{type alertoutput unified2: filename snort.u2, limit 128, mpls_event_types, vlan_event_typesoutput log_tcpdump: sensitive.log}
sensitive ip any any <> any any (content:”secret”; nocase; msg:”packet containing ‘secret’”; classtype:sensitive; sid:80000001; rev:001;)sensitive ip any <> any any (msg:”bad IP detected, dumping packets....”; classtype:sensitive; sid:80000002; rev:001;)

..ok so the problem is, it worked, but it flooded my normal events with about 3000 alerts everytime this IP connected, as I said I only want it to alert once every 5mins or so.  I know I can do an in-rule threshold that limits alerts to once every 5 minutes by doing "threshold:type limit, count 1 , seconds 60;" but since the rule is tied also to tcpdump will that not cut the packet dump also??

anyone have any experience with this ? 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151211/41847fd3/attachment.html>

More information about the Snort-users mailing list