Snort mailing list archives
tag:host
From: "Xin, Qiao" <qxin () cio sc gov>
Date: Wed, 15 Apr 2015 17:54:13 +0000
Hi, I have a question on how the tag:host works. I have a rule based on the content of the packet as alert udp $HOME_NET any -> any any (msg:"suspicious traffic--";content:"bad content";nocase; tag:host, 60, packets, dst; classtype:bad-unknown;sid:1000001;rev:0;) I want to capture traffic of coming from any HOME_NET host to the destination IP in the alert packets. Will "tag:host" and the "dst" option work? If it works, in which file will the captured packets by the tag:host be stored? How can we easily associate the packets captured by the tag:host action with the packets captured by the snort alert? Thanks, Qiao -------------------
------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- tag:host Xin, Qiao (Apr 15)
- Re: tag:host Al Lewis (allewi) (Apr 15)
- Re: tag:host Xin, Qiao (Apr 15)
- Re: tag:host Al Lewis (allewi) (Apr 15)
- Re: tag:host Xin, Qiao (Apr 15)
- Re: tag:host Al Lewis (allewi) (Apr 15)