[Snort-users] How to know what is "any" ip address???

waldo kitty wkitty42 at ...14940...
Tue Feb 3 21:47:17 EST 2015


On 2/2/2015 8:11 AM, zT wrote:
> hello all i use
> alert tcp any any -> any any (msg:"network found in packet content!!!";
> content:"network"; sid:10000; )
> when snort find a packet with FB content i want to which ip address this packet
> is comes from (ip header of packet) and store this packet( it content and
> headers) in a file.
> how can do this ?

by default, if you haven't changed the output stuff, snort puts this information 
in the captured pcap file named snort.log.xxxxxxxxxx that is active at the time 
the alert was fired... there's one snort.log.xxxxxxxxxx pcap file active for 
each execution of snort...

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.




More information about the Snort-users mailing list