[Snort-users] How to know what is "any" ip address???
wkitty42 at ...14940...
Thu Feb 5 09:31:10 EST 2015
On 2/4/2015 1:04 AM, zT wrote:
> thanks so much, but this file is unreadable . can this be store in ASCII format?
no... it is the actual binary packet from the network... you need to use a tool
like wireshark or tcpdump to be able to read the contents...
ALSO: please read and follow my signature... *keep list traffic on the list*...
i do not provide private assistance without a signed prepaid contract... thank
> On Wed, Feb 4, 2015 at 6:17 AM, waldo kitty <wkitty42 at ...14940...
> <mailto:wkitty42 at ...14940...>> wrote:
> On 2/2/2015 8:11 AM, zT wrote:
> > hello all i use
> > alert tcp any any -> any any (msg:"network found in packet content!!!";
> > content:"network"; sid:10000; )
> > when snort find a packet with FB content i want to which ip address this
> > is comes from (ip header of packet) and store this packet( it content and
> > headers) in a file.
> > how can do this ?
> by default, if you haven't changed the output stuff, snort puts this information
> in the captured pcap file named snort.log.xxxxxxxxxx that is active at the time
> the alert was fired... there's one snort.log.xxxxxxxxxx pcap file active for
> each execution of snort...
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
More information about the Snort-users