Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Using snort with paper while alerting

From: beenph <beenph () gmail com>
Date: Tue, 4 Dec 2012 12:51:50 -0500
On Tue, Dec 4, 2012 at 12:31 PM,  <honeybadger () q com> wrote:

Hey all,

I am trying to get my head how to script this.

I want a packet capture when SNORT alerts that a server is getting a UDP
packet.

I know the rule is alert UDP any any - > serverip any.


Its not exactly a scripted packet capture but it can ressemble what you want.

http://manual.snort.org/node529.html

alert udp any any  -> server_ip any (msg:"blabla to server";
sid:10000001; rev:1;   tag:host,0,packets,src;
flowbits:set,INCOMMING_STUFF)
alert udp server_ip any  -> any any (msg:"blabla from server";
sid:10000002; rev:1;   tag:host,0,packets,src;
flowbits:isset,INCOMMING_STUFF)

-elz

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: