How to log an alert plus x number of packets?

[Rich Adamson <radamson () routers com>]

I'm looking for a way to cause snort to log "x" number of packets from
a particular device "after" an alert has been activated. Does that
capability exist, and if so, how would I configure it?

Simple Example: if an EXTERNAL_NET device requests a DNS Zone Transfer,
snort will detect and alert. However, the alert only suggests the attempt
was made and offers no clue as to whether the zone transfer request was
actually honored. If "x" number of sequential packets were logged to/from
this device after the alert, one could easily determine whether it was a
false positive.

(I understand that another specific rule could be written to handle the
above zone transfer example, but there are lots of similar examples
where saving a few follow-on packets would be helpful.)




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users