Snort mailing list archives
Re: Catchall Rule
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 10 Feb 2003 11:11:01 -0500
Erek is right.
log ip any any -> any any
You don't need that trailing semi-colon and it won't pick up the ARP, but
other than that it'll work fine.
I'd recommend using Snort -> Barnyard -> CSV -> a bulkloader if possible,
but that's just me...
-Marty
On 2/6/03 10:32 AM, "Erek Adams" <erek () snort org> wrote:
On Thu, 6 Feb 2003, Gary Hill wrote:I take it this rule wont capture non-tcp/udp/icmp traffic such as IPSEC!Can you create a rule that looks at all IP traffic, rather then each protocol on the top of itSure. log ip any any -> $HOME_NET any; But traffic isn't always ip traffic.... log icmp any any -> $HOME_NET any; log arp any any -> $HOME_NET any; (Ok, the last one is silly, but he said "all traffic". :) From what I'm getting, you want to snarf all the frames on the wire, then shove that into a DB. If you do, be _sure_ to have acres of disk, and one helluva machine for the DB. You might get better performance using Barnyard to spool the files. If realtime isn't an issue, you might be better off with tcpdump and then using Snort to post process. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Catchall Rule, (continued)
- Re: Catchall Rule Jacob Redding (Feb 06)
- RE: Catchall Rule John Cherbini (Feb 05)
- Re: Catchall Rule Rodney Green (Feb 06)
- RE: Catchall Rule John Cherbini (Feb 06)
- Re: Catchall Rule Rodney Green (Feb 06)
- RE: Catchall Rule John Cherbini (Feb 05)
- Re: Catchall rule njharris (Feb 05)
- RE: Catchall Rule Gary Hill (Feb 06)
- RE: Catchall Rule Erek Adams (Feb 06)
- RE: Catchall Rule John Cherbini (Feb 06)
- Re: Catchall Rule Ashley Thomas (Feb 06)
- Re: Catchall Rule Martin Roesch (Feb 10)
- RE: Catchall Rule Erek Adams (Feb 06)
- RE: Catchall Rule Gonzalez, Albert (Feb 06)
- RE: Catchall Rule Gary Hill (Feb 06)
- RE: Catchall Rule John Cherbini (Feb 06)
- Re: Catchall Rule Kenton Smith (Feb 06)