Snort mailing list archives
Re: How to log an alert plus x number of packets?
From: Michael Boman <michael.boman () securecirt com>
Date: Sat, 5 Oct 2002 20:36:49 +0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 05 October 2002 19:21, Rich Adamson wrote:
I'm looking for a way to cause snort to log "x" number of packets from a particular device "after" an alert has been activated. Does that capability exist, and if so, how would I configure it?
Yes, it exists and it is called tag'ing. It's availble by default (acctually, the only way to remove it would be changing the source code and re-compile) and is configured using the 'tag' keyword. See: http://www.snort.org/docs/writing_rules/chap2.html#tth_chAp2 paragraph 2.3.31 Best regards Michael Boman - -- Michael Boman Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd) http://www.securecirt.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9ntzlds5fQJiraJwRAgh5AJ9t3QLof8XHzM2cPUudylsoQoWhJgCglg/c zrL8zQyzdh5es8Cu7E00t58= =Kjaa -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to log an alert plus x number of packets? Rich Adamson (Oct 05)
- Re: How to log an alert plus x number of packets? Michael Boman (Oct 05)