Snort mailing list archives
Re: Capturing incoming packets?
From: Erek Adams <erek () snort org>
Date: Mon, 16 Jun 2003 10:16:23 -0400 (EDT)
On Sat, 14 Jun 2003 guano () hackerfactor com wrote: [...snip...]
Thus, snort will capture exactly half of this session. Since the entire session was initiated by <IP>, I want the entire session filtered. Not just the requests, but the replies as well. Any snort option that does not take session-tracking into account will be unable to do this. Is there a method for snort to capture everything that is not part of a session initiated by <IP>?
What you are trying to do isn't really as easy as it seems. Basically, you're wanting Snort to grab all incoming packets that aren't in response to an initiated connection. If that's correct then I don't know of any way for it to be done. There's not a plugin that does that, and stream4 can hansdle the streams part but it doesn't really track the state in that way. You could use "flow: to_server, established" and tag some of the packets, but that's still not going to do exactly what you want. You might want to try to log everything to a pcap, and using a fairly complex bpf statement to filter out what you don't want to see. Then you could run the resulting file back thru Snort and alert on the odd events. That's still not going to be exactly what you want... :( Wish I could give you a better answer, but I just don't have any idea on how that could be done. Anyone else? Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Capturing incoming packets? guano (Jun 13)
- Re: Capturing incoming packets? Erek Adams (Jun 13)
- Re: Capturing incoming packets? guano (Jun 13)
- Re: Capturing incoming packets? Erek Adams (Jun 14)
- Re: Capturing incoming packets? guano (Jun 14)
- Re: Capturing incoming packets? Erek Adams (Jun 16)
- Re: Capturing incoming packets? guano (Jun 13)
- Re: Capturing incoming packets? Erek Adams (Jun 13)