Logging Application Traffic

Problem

You want to log all traffic that belongs to a particular application.

Solution

Make use of the session keyword that was introduced in Recipe 2.n.

Description

If your application, like most do, uses a particular port on a particular machine, write a rule that detects this and use the session keyword to record it. For example, to record all traffic to and from a MySQL server running on TCP 3306 on a particular machine (192.168.0.8, for example), use the following rule:

alert tcp any any <> 192.168.0.8 3306 (msg: "MySQL"; session: all;)

 

See Also

Snort Users Manual

Recipe 2.27

Recognizing HTTP Traffic on Unusual Ports

Категории