Snort mailing list archives
Re: capturing a suspisous traffic stream
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 22 Oct 2001 19:54:17 -0400
Snort can mostly do this with tags and stream4. Write a rule like this:
alert tcp any any -> $HOME_NET 80 \
(content: "cmd.exe"; \
msg: "WEB cmd.exe request"; \
tag: session, 300, seconds;)
and it'll capture the next 300 seconds worth of this session. If you're
running stream4 and logging in -b mode, it'll also cause stream4 to dump
out the packet cache for that session when it detects the alert has gone
off, which will record some limited information about what came before
the attack packet as well (in build 81 and higher).
Not quite 100%, but getting there...
-Marty
phillip mawson wrote:
Hi all I'm a new snort user and have a question about capturing suspicious data. Can snort be used to capture a stream of data that appears malicious? By stream I mean the whole conversation between client and server not just the offending packet. For example: You have snort set in IDS mode. A rule set to alert on the "cmd.exe" string and log the offending packet. The offending packet by itself may not give you enough information of identify if the scan is a false positive or not so you want to be able to log the entire conversation, part of it being the packet containing the "cmd.exe" string. Can anyone think of ways to achieve this? To me this seams like a stateful feature that might be achievable with stream4??? thanks Phill ---------------------------------------------------------------------- Get your FREE download of MSN Explorer at http://explorer.msn.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - President, Sourcefire Inc. - (410)552-6999 roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- capturing a suspisous traffic stream phillip mawson (Oct 22)
- Re: capturing a suspisous traffic stream Martin Roesch (Oct 22)
- Re: capturing a suspisous traffic stream Stan Scalsky (Oct 22)
- Re: capturing a suspisous traffic stream Chris Green (Oct 22)
- ip ranges? Edwin Eefting (Oct 23)
- Message not available
- ip ranges & perfomance Edwin Eefting (Oct 23)
- Re: capturing a suspisous traffic stream Stan Scalsky (Oct 22)
- Re: capturing a suspisous traffic stream Martin Roesch (Oct 22)