Logging Application Traffic

Problem

You want to log all traffic that belongs to a particular application.

Solution

Make use of the session keyword that was introduced in Recipe 2.n.

Description

If your application, like most do, uses a particular port on a particular machine, write a rule that detects this and use the session keyword to record it. For example, to record all traffic to and from a MySQL server running on TCP 3306 on a particular machine (192.168.0.8, for example), use the following rule:

alert tcp any any <> 192.168.0.8 3306 (msg: "MySQL"; session: all;)

 

See Also

Snort Users Manual

Recipe 2.27

Recognizing HTTP Traffic on Unusual Ports

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index



Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net