Snort mailing list archives
RE: Catchall Rule
From: "Gary Hill" <ghill () domicilium com>
Date: Thu, 6 Feb 2003 15:03:38 -0000
I take it this rule wont capture non-tcp/udp/icmp traffic such as IPSEC!
Can you create a rule that looks at all IP traffic, rather then each protocol on the top of it
-----Original Message-----
From: Rodney Green [mailto:rgreen () trayerproducts com]
Sent: Thu 06/02/2003 14:39
To: John Cherbini; 'Snort User Groups'
Cc:
Subject: Re: [Snort-users] Catchall Rule
John,
How do you get the data captured by those rules into the DB? I'd like
to play around with doing that.
Thanks,
Rod
----- Original Message -----
From: John Cherbini <mailto:cherbini () dakotacom net>
To: 'Snort User Groups' <mailto:snort-users () lists sourceforge net>
Sent: Wednesday, February 05, 2003 11:28 PM
Subject: RE: [Snort-users] Catchall Rule
We wanted to have them all logged into a DB, and most importantly, parsed! And we didn't feel like
writing our own parser.
I've got it figured out though......with these rules
######CATCHALL RULES########
alert tcp any any -> any any (msg: \"tcp traffic\";)
alert udp any any -> any any (msg: \"udp traffic\";)
alert icmp any any -> any any (msg: \"icmp traffic\";)
############################
John C.
> -----Original Message-----
> From: Jacob Redding [mailto:dextor () WiredGeek com <mailto:dextor () WiredGeek com> ]
> Sent: Wednesday, February 05, 2003 9:18 PM
> To: John Cherbini
> Cc: 'Snort User Groups'
> Subject: Re: [Snort-users] Catchall Rule
>
>
> Why not just use tcpdump??
>
> -Jacob
>
> On Wed, 5 Feb 2003, John Cherbini wrote:
>
> > Hello everyone...
> >
> > We're working on a project, where as a part of it, we would like to
> > use snort to add *every* packet it reads in a file to the DB.
> >
> > I've got the command line down, but I'd like to check on a
> rule that
> > will set *every* packet to generate a flag.
> >
> > After looking through this doc..
> >
> > http://www.snort.org/docs/writing_rules/chap2.html
<http://www.snort.org/docs/writing_rules/chap2.html>
> >
> > I'm thinking something like this:
> >
> > Alert tcp any any -> any (content:"|45 00|"; msg: "Catchall Rule";)
> > Alert udp any any -> any (content:"|45 00|"; msg: "Catchall Rule";)
> > Alert icmp any any -> any (content:"|45 00|"; msg: "Catchall Rule";)
> >
> > My concern is the third "any"...not sure if that will work.
> >
> > Does anyone have any input on this?
> >
> > I'd appreciate any advice!
> >
> > Thanks!
> >
> > John Cherbini
> >
>
Current thread:
- Catchall Rule John Cherbini (Feb 05)
- Re: Catchall Rule twig les (Feb 05)
- Re: Catchall Rule Ashley Thomas (Feb 05)
- Re: Catchall Rule Jacob Redding (Feb 06)
- <Possible follow-ups>
- RE: Catchall Rule John Cherbini (Feb 05)
- Re: Catchall Rule Rodney Green (Feb 06)
- RE: Catchall Rule John Cherbini (Feb 06)
- Re: Catchall Rule Rodney Green (Feb 06)
- RE: Catchall Rule John Cherbini (Feb 05)
- Re: Catchall rule njharris (Feb 05)
- RE: Catchall Rule Gary Hill (Feb 06)
- RE: Catchall Rule Erek Adams (Feb 06)
- RE: Catchall Rule John Cherbini (Feb 06)
- Re: Catchall Rule Ashley Thomas (Feb 06)
- Re: Catchall Rule Martin Roesch (Feb 10)
- RE: Catchall Rule Erek Adams (Feb 06)
- RE: Catchall Rule Gonzalez, Albert (Feb 06)
- RE: Catchall Rule Gary Hill (Feb 06)
- RE: Catchall Rule John Cherbini (Feb 06)
- Re: Catchall Rule Kenton Smith (Feb 06)
- Re: Catchall Rule twig les (Feb 05)