Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Alerts and packet capture - MYSQL

From: Erek Adams <erek () snort org>
Date: Mon, 19 May 2003 19:21:13 -0400 (EDT)
On Mon, 19 May 2003, Snow Jacob C KPWA wrote:


I am using snort 2.0 to capture data based on a custom rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET :1024 (msg:"Syn
Outbound";flags:S;tag:session,2,packets;)



and logging this information to a MySQL database.  I then want to look
through this data to see if a synack is sent back (aka a complete
handshake/connection).  I am capturing additional packets as well.  When I
try and view the additional packets in snort I am only getting the packet
that triggers the rule not the extra packets that were captured.  Is there a
way to view this information with acid or am I stuck doing it by hand.


Snort only logs the packts that match the rule.  This rule will only flag
outbound SYN's.  It won't help with returning SYNACKs.  You would need a
second rule to look for SYNACK with a 'flags:SA'.


Also is there a way to right the rule such that it won't trigger if I don't
get a synack back?


If I'm following this right, you want the above rule to alert if and only
if there is an outbound SYN followed by a returning SYNACK from the
destination IP of the SYN packet?  If so, then no.  That would be a job
better handled by a preprocessor.  Perhaps something similar to
portscan(2)....



Does ACID already do this and I am missing something?  A little advice
from the snort guru's and everyone else would be nice :-).


ACID is simply a way to view data.  It doesn't deal with rules, it simply
pulls data from the DB and displays it via PHP.

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: