如何知道与snort中的content选项匹配的数据包的ip地址?
[英]how to know ip address of packets which matched by content option in snort?
问题描述
i am using snort-2.9.7.0 and i inspect packet by this simple code: 
我正在使用snort-2.9.7.0并通过以下简单代码检查数据包:
alert tcp any any -> $HOME_NET any (msg:"FB found in packet content!!!"; content:"FB"; sid:10000; ) i want to know where packet is comes from and store it. alert tcp any any -> $HOME_NET any (msg:"FB found in packet content!!!"; content:"FB"; sid:10000; )我想知道数据包来自何处并存储它。 guide me. 引导我。
Thanks and Regards. 谢谢并恭祝安康。
1 个解决方案
解决方案1
0 已采纳 2015-02-03 23:17:06
You should adjust the output format of the alerts; 您应该调整警报的输出格式。 to do that add this line in your config file: 为此,请在配置文件中添加以下行:
output alert_fast: <full path to output file>/snort.log
as you here this will print Snort alert messages with full packet headers that contains the source and destination IP addresses and will be saved in snort.log file. 如此处所示,这将打印带有完整数据包标题的Snort警报消息,其中包含源IP地址和目标IP地址,并将保存在snort.log文件中。
EDIT : The log file can be in any place you like and it's name can be determined by you. 编辑 :日志文件可以在您喜欢的任何位置,并且它的名称可以由您确定。 for example: 例如:
output alert_fast: ~/Desktop/my_snort_log.txt
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.