On Sat, 22 Sep 2001, ricci wrote: > Is there any tools that I can used for capturing the network package of > from a particular source IP only after a particular program being executed? > A snort program can be used for capturing particular activities (like > cmd.exe being executed) without particular IP addresses known. > > However, this snort rules would be invoked only if the network package > containing cmd.exe. While if I would like to perform this activities, what > should I do? > > x.x.x.x determined to perform cmd.exe, then I would like to capture all the > network package related to x.x.x.x. > > What tools I can use? Can I use snort? How to write such rules then? Hello, Yes, Snort is able to do that for you. Just write the snort rule as usual and append the "tag" keyword along with your desirsd options for it. Taken from the excellent "Writing snort rules" manual (http://www.snort.org/docs/writing_rules/): "The tag keyword allow rules to log more than just the single packet that triggered the rule. Once a rule is triggered, additional traffic involving the source host is ``tagged''. Tagged traffic is logged to allow analysis of response codes and post-attack traffic." The following example rule will log the next 20 packets involving the host sending the string "cmd.exe" to a web server on your home network (should be written as one line of course): alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"cmd.exe access, tagging"; flags: A+; uricontent:"cmd.exe"; nocase; tag: host, 20, packets, src;) Although you should probably be careful when tagging "cmd.exe" rules right now. The IIS worms can easilly make your logs grow gigantic unless you're careful. Regards, Andreas Östling ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Sep 22 2001 - 08:01:22 PDT