<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yui_3_16_0_1_1427975890315_3337" dir="ltr"><br></div><div id="yui_3_16_0_1_1427975890315_3337" dir="ltr"><span id="yui_3_16_0_1_1427975890315_3702">Actually, Im working on this solution  whenever alert triggered snort should log malicious in pcap format and save it in destination machine (or a software try to make socket and send).</span></div><div id="yui_3_16_0_1_1427975890315_3337" dir="ltr"><span><br></span></div><div id="yui_3_16_0_1_1427975890315_3337" dir="ltr"><span id="yui_3_16_0_1_1427975890315_7541">But the problem is that in the destination we would need to read this pcap data in offline mode.(I think it may not optimum solution) </span></div><div id="yui_3_16_0_1_1427975890315_3337" dir="ltr"><span><br></span></div><div id="yui_3_16_0_1_1427975890315_3337" dir="ltr"><span id="yui_3_16_0_1_1427975890315_8591">Is there any possibility in snort that whenever alert triggered uses firewall capability in order to forward traffic flow to the new destination in real time mode ? (or even is it possible to execute a script as an action in snort  after trigger)</span></div><div id="yui_3_16_0_1_1427975890315_3337" dir="ltr"><span><br></span></div><div id="yui_3_16_0_1_1427975890315_3337" dir="ltr"><span id="yui_3_16_0_1_1427975890315_19279">Any other idea?suggestion?</span></div><div id="yui_3_16_0_1_1427975890315_3337" dir="ltr"><span><br></span></div><div id="yui_3_16_0_1_1427975890315_3337" dir="ltr"><span id="yui_3_16_0_1_1427975890315_19638">Tnx </span></div><div id="yui_3_16_0_1_1427975890315_3337" dir="ltr"><span><br></span></div><div id="yui_3_16_0_1_1427975890315_3337" dir="ltr"><span><br></span></div><div id="yui_3_16_0_1_1427975890315_3337" dir="ltr"><span><br></span></div>  <br><div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"> <font size="2" face="Arial"> On Wednesday, April 1, 2015 12:28 PM, Al Lewis (allewi) <allewi@...589...> wrote:<br> </font> </div>  <br><br> <div class="y_msg_container"><div id="yiv8258398872"><style>#yiv8258398872 #yiv8258398872 --
 
 _filtered #yiv8258398872 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;}
 _filtered #yiv8258398872 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;}
 _filtered #yiv8258398872 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}
 _filtered #yiv8258398872 {font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4 2 4;}
 _filtered #yiv8258398872 {font-family:Candara;panose-1:2 14 5 2 3 3 3 2 2 4;}
 _filtered #yiv8258398872 {font-family:Georgia;panose-1:2 4 5 2 5 4 5 2 3 3;}
 _filtered #yiv8258398872 {panose-1:0 0 0 0 0 0 0 0 0 0;}
#yiv8258398872  
#yiv8258398872 p.yiv8258398872MsoNormal, #yiv8258398872 li.yiv8258398872MsoNormal, #yiv8258398872 div.yiv8258398872MsoNormal
        {margin:0in;margin-bottom:.0001pt;font-size:12.0pt;}
#yiv8258398872 a:link, #yiv8258398872 span.yiv8258398872MsoHyperlink
        {color:blue;text-decoration:underline;}
#yiv8258398872 a:visited, #yiv8258398872 span.yiv8258398872MsoHyperlinkFollowed
        {color:purple;text-decoration:underline;}
#yiv8258398872 span
        {}
#yiv8258398872 span.yiv8258398872EmailStyle18
        {color:#1F497D;}
#yiv8258398872 .yiv8258398872MsoChpDefault
        {font-size:10.0pt;}
 _filtered #yiv8258398872 {margin:1.0in 1.0in 1.0in 1.0in;}
#yiv8258398872 div.yiv8258398872WordSection1
        {}
#yiv8258398872 </style><div>
<div class="yiv8258398872WordSection1">
<div class="yiv8258398872MsoNormal"><span style="font-size:11.0pt;">Have you tried capturing the traffic (in pcap format) and then using that (replaying it)  for analysis on another machine?</span></div> 
<div class="yiv8258398872MsoNormal"><span style="font-size:11.0pt;">  </span></div> 
<div>
<div class="yiv8258398872MsoNormal"><span style="">Albert Lewis</span></div> 
<div class="yiv8258398872MsoNormal"><span style="">QA Software Engineer</span></div> 
<div class="yiv8258398872MsoNormal"><span style="">SOURCE</span><b><span style="">fire</span></b><span style="">, Inc.
</span><span style="">now part of </span>
<b><span style="">Cisco</span></b><span style=""></span></div> 
<div class="yiv8258398872MsoNormal"><span style="">9780 Patuxent Woods Drive<br clear="none">
Columbia, MD 21046 </span><span style=""></span></div> 
<div class="yiv8258398872MsoNormal"><span style="">Phone: (office) </span><span style="">443.430.7112</span></div> 
<div class="yiv8258398872MsoNormal"><span style="">Email:
</span><span style="">allewi@...589...</span><span style=""> </span><span style=""></span></div> 
</div>
<div class="yiv8258398872MsoNormal"><span style="font-size:11.0pt;">  </span></div> 
<div class="yiv8258398872yqt7398088623" id="yiv8258398872yqt69062"><div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in;">
<div class="yiv8258398872MsoNormal"><b><span style="font-size:10.0pt;">From:</span></b><span style="font-size:10.0pt;"> mehrdad hajizadeh [mailto:mehrdad_richman@...131...]
<br clear="none">
<b>Sent:</b> Wednesday, April 01, 2015 1:53 AM<br clear="none">
<b>To:</b> Snort-users@lists.sourceforge.net<br clear="none">
<b>Subject:</b> [Snort-users] Fw: Snort Malicious Traffic Redirection to other IP</span></div> 
</div>
</div>
<div class="yiv8258398872MsoNormal">  </div> 
<div>
<div id="yiv8258398872yui_3_16_0_1_1427865517399_19247">
<div id="yiv8258398872yui_3_16_0_1_1427865338632_3135">
<div class="yiv8258398872MsoNormal" style="background:white;"><span style="">Actually, in this special case I wanna separate and send malicious traffic for further analysis in other machine  (honeypot machine or get DPI service
 from central DPI machine).</span></div> 
</div>
<div id="yiv8258398872yui_3_16_0_1_1427865338632_3135">
<div class="yiv8258398872MsoNormal" style="background:white;"><span style="">  </span></div> 
</div>
<div id="yiv8258398872yui_3_16_0_1_1427865338632_3135">
<div class="yiv8258398872MsoNormal" style="background:white;"><span style="">  </span></div> 
</div>
<div class="yiv8258398872MsoNormal" style="background:white;"><span style="">  </span></div> 
</div>
<div id="yiv8258398872yui_3_16_0_1_1427865517399_19257">
<div id="yiv8258398872yui_3_16_0_1_1427865517399_19256">
<div id="yiv8258398872yui_3_16_0_1_1427865517399_19255">
<div id="yiv8258398872yui_3_16_0_1_1427865517399_19254">
<div class="yiv8258398872MsoNormal" style="background:white;"><span style="font-size:10.0pt;">On Tuesday, March 31, 2015 4:47 PM, Joel Esler (jesler) <<a rel="nofollow" shape="rect" ymailto="mailto:jesler@...5925...9..." target="_blank" href="mailto:jesler@...589...">jesler@...589...</a>> wrote:</span><span style=""></span></div> 
</div>
<div class="yiv8258398872MsoNormal" style="margin-bottom:12.0pt;background:white;"><span style="">  </span></div> 
<div id="yiv8258398872yui_3_16_0_1_1427865517399_19259">
<div id="yiv8258398872">
<div id="yiv8258398872yui_3_16_0_1_1427865517399_19258">
<div class="yiv8258398872MsoNormal" style="background:white;"><span style="">Why not put Snort inline and drop the malicious traffic totally?
</span></div> 
<div id="yiv8258398872yui_3_16_0_1_1427865517399_19608">
<div class="yiv8258398872MsoNormal" style="background:white;"><span style="">  </span></div> 
</div>
<div id="yiv8258398872yui_3_16_0_1_1427865517399_19261">
<div class="yiv8258398872MsoNormal" style="background:white;"><span class="yiv8258398872"><span style="font-size:9.0pt;">--</span></span><span style=""><br clear="none">
</span><span class="yiv8258398872"><b><span style="font-size:9.0pt;">Joel Esler</span></b></span><span style=""><br clear="none">
</span><span class="yiv8258398872"><span style="font-size:9.0pt;">Open Source Manager</span></span><span style=""><br clear="none">
</span><span class="yiv8258398872"><span style="font-size:9.0pt;">Threat Intelligence Team Lead</span></span><span style=""><br clear="none">
</span><span class="yiv8258398872"><span style="font-size:9.0pt;">Talos Group</span></span><span style=""></span></div> 
</div>
<div id="yiv8258398872yui_3_16_0_1_1427865517399_19265">
<div class="yiv8258398872MsoNormal" style="background:white;"><span style="">  </span></div> 
<div id="yiv8258398872yui_3_16_0_1_1427865517399_19264">
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt;">
<div id="yiv8258398872yqt14158">
<div>
<div class="yiv8258398872MsoNormal" style="background:white;"><span style="">On Mar 31, 2015, at 1:17 AM, mehrdad hajizadeh <<a rel="nofollow" shape="rect" ymailto="mailto:mehrdad_richman@...131..." target="_blank" href="mailto:mehrdad_richman@...131...">mehrdad_richman@...131...</a>> wrote:</span></div> 
</div>
<div class="yiv8258398872MsoNormal" style="background:white;"><span style="">  </span></div> 
<div id="yiv8258398872yui_3_16_0_1_1427865517399_19262">
<div id="yiv8258398872yui_3_16_0_1_1427865517399_19286">
<div id="yiv8258398872yui_3_16_0_1_1427865517399_19285">
<div id="yiv8258398872yui_3_16_0_1_1427777836862_8484">
<div class="yiv8258398872MsoNormal" style="background:white;"><span style="">  </span></div> 
</div>
<div id="yiv8258398872yui_3_16_0_1_1427777836862_8484">
<div class="yiv8258398872MsoNormal" style="background:white;"><span style="">Hello All,</span></div> 
</div>
<div id="yiv8258398872yui_3_16_0_1_1427777836862_8484">
<div class="yiv8258398872MsoNormal" style="background:white;"><span style="">  </span></div> 
</div>
<div id="yiv8258398872yui_3_16_0_1_1427777836862_8484">
<div class="yiv8258398872MsoNormal" style="background:white;"><span style="">I was wondering if somebody help me , how I can redirect malicious traffic to the other IP or host with Snort.</span></div> 
</div>
<div id="yiv8258398872yui_3_16_0_1_1427777836862_8484">
<div class="yiv8258398872MsoNormal" style="background:white;"><span style="">Is it possible in snort to redirect specific traffic (the traffic which is matched with snort attack signature ) to the one specific computer? I just
 wanna to separate malicious traffic with normal traffic by snort..</span></div> 
</div>
<div id="yiv8258398872yui_3_16_0_1_1427777836862_8484">
<div class="yiv8258398872MsoNormal" style="background:white;"><span style="">Tnx in advance</span></div> 
</div>
<div id="yiv8258398872yui_3_16_0_1_1427865517399_19284">
<div class="yiv8258398872MsoNormal" style="background:white;"><span style="">  </span></div> 
</div>
</div>
</div>
<div class="yiv8258398872MsoNormal" style="background:white;"><span style="">------------------------------------------------------------------------------<br clear="none">
Dive into the World of Parallel Programming The Go Parallel Website, sponsored<br clear="none">
by Intel and developed in partnership with Slashdot Media, is your hub for all<br clear="none">
things parallel software development, from weekly thought leadership blogs to<br clear="none">
news, videos, case studies, tutorials and more. Take a look and join the <br clear="none">
conversation now. <a rel="nofollow" shape="rect" target="_blank" href="http://goparallel.sourceforge.net/_______________________________________________">
http://goparallel.sourceforge.net/_______________________________________________</a><br clear="none">
Snort-users mailing list<br clear="none">
<a rel="nofollow" shape="rect" id="yiv8258398872yui_3_16_0_1_1427865517399_19268" ymailto="mailto:Snort-users@lists.sourceforge.net" target="_blank" href="mailto:Snort-users@lists.sourceforge.net">Snort-users@...1753...s.sourceforge.net</a><br clear="none">
Go to this URL to change user options or unsubscribe:<br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br clear="none">
Snort-users list archive:<br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br clear="none">
<br clear="none">
Please visit <a rel="nofollow" shape="rect" target="_blank" href="http://blog.snort.org/">http://blog.snort.org</a> to stay current on all the latest Snort news!</span></div> 
</div>
</div>
</blockquote>
</div>
<div class="yiv8258398872MsoNormal" style="background:white;"><span style="">  </span></div> 
</div>
</div>
</div>
<div class="yiv8258398872MsoNormal" style="margin-bottom:12.0pt;background:white;"><span style="">  </span></div> 
</div>
</div>
</div>
</div>
</div></div>
</div>
</div></div><br><br></div>  </div> </div>  </div></div></body></html>