Snort mailing list archives
RE: Understanding how to setup snort...
From: "Hicks, John" <JHicks () JUSTICE GC CA>
Date: Wed, 11 Dec 2002 14:03:55 -0500
Try this is a rule: log tcp $AIM_SERVERS any <-> $HOME_NET any (MSG: "AIM Packet";) Since the AIM servers are a variable in the newer snort it makes it very easy to tracce *all* traffic to/from the known servers. HTH, John -----Original Message----- From: Andy Monroe [mailto:aim () linux-info net] Sent: Thursday, December 05, 2002 3:42 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Understanding how to setup snort... I read the snort manual, but it simply is not clicking with me. The only thing I want to use snort for is to search AIM traffic for specific keywords (as in illicit activity). I have found this rule from the mailing list: log tcp any any -> any any (msg: "AIM packet"; content:"|2A 02|"; depth:2; flags:AP+; classtype:not-suspicious;priority:0;) How do I go about logging all the AIM trafic? First off, it looks like the above rule will NOT log the content. Doesn't the rule also need to have "session: printable;"? Second, I don't understand the role that the snort.conf plays in things. The only thing I want to do is run snort in packet logger mode to search the AIM packes, nothing else. Can someone either point me to some info that can guide me in this quest? Or simply enlighten me? Andy ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Understanding how to setup snort... Andy Monroe (Dec 05)
- <Possible follow-ups>
- RE: Understanding how to setup snort... Hicks, John (Dec 11)