[Snort-users] How to know what is "any" ip address???

waldo kitty wkitty42 at ...14940...
Thu Feb 5 09:31:10 EST 2015


On 2/4/2015 1:04 AM, zT wrote:
> thanks so much, but this file is unreadable . can this be store in ASCII format?

no... it is the actual binary packet from the network... you need to use a tool 
like wireshark or tcpdump to be able to read the contents...


ALSO: please read and follow my signature... *keep list traffic on the list*... 
i do not provide private assistance without a signed prepaid contract... thank 
you...

> On Wed, Feb 4, 2015 at 6:17 AM, waldo kitty <wkitty42 at ...14940...
> <mailto:wkitty42 at ...14940...>> wrote:
>
>     On 2/2/2015 8:11 AM, zT wrote:
>      > hello all i use
>      > alert tcp any any -> any any (msg:"network found in packet content!!!";
>      > content:"network"; sid:10000; )
>      > when snort find a packet with FB content i want to which ip address this
>     packet
>      > is comes from (ip header of packet) and store this packet( it content and
>      > headers) in a file.
>      > how can do this ?
>
>     by default, if you haven't changed the output stuff, snort puts this information
>     in the captured pcap file named snort.log.xxxxxxxxxx that is active at the time
>     the alert was fired... there's one snort.log.xxxxxxxxxx pcap file active for
>     each execution of snort...

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.




More information about the Snort-users mailing list