[Snort-users] How to know what is "any" ip address???
wkitty42 at ...14940...
Tue Feb 3 21:47:17 EST 2015
On 2/2/2015 8:11 AM, zT wrote:
> hello all i use
> alert tcp any any -> any any (msg:"network found in packet content!!!";
> content:"network"; sid:10000; )
> when snort find a packet with FB content i want to which ip address this packet
> is comes from (ip header of packet) and store this packet( it content and
> headers) in a file.
> how can do this ?
by default, if you haven't changed the output stuff, snort puts this information
in the captured pcap file named snort.log.xxxxxxxxxx that is active at the time
the alert was fired... there's one snort.log.xxxxxxxxxx pcap file active for
each execution of snort...
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
More information about the Snort-users