Problem
You want to log all traffic that belongs to a particular application.
Solution
Make use of the session keyword that was introduced in Recipe 2.n.
Description
If your application, like most do, uses a particular port on a particular machine, write a rule that detects this and use the session keyword to record it. For example, to record all traffic to and from a MySQL server running on TCP 3306 on a particular machine (192.168.0.8, for example), use the following rule:
alert tcp any any <> 192.168.0.8 3306 (msg: "MySQL"; session: all;)
See Also
Snort Users Manual
Recipe 2.27
Recognizing HTTP Traffic on Unusual Ports |
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance
Index