Re: How to log an alert plus x number of packets?

[Michael Boman <michael.boman () securecirt com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday 05 October 2002 19:21, Rich Adamson wrote:
> I'm looking for a way to cause snort to log "x" number of packets from
> a particular device "after" an alert has been activated. Does that
> capability exist, and if so, how would I configure it?

Yes, it exists and it is called tag'ing. It's availble by default (acctually, 
the only way to remove it would be changing the source code and re-compile) 
and is configured using the 'tag' keyword. See:

http://www.snort.org/docs/writing_rules/chap2.html#tth_chAp2 paragraph 2.3.31

Best regards
 Michael Boman

- -- 
Michael Boman
Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd)
http://www.securecirt.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9ntzlds5fQJiraJwRAgh5AJ9t3QLof8XHzM2cPUudylsoQoWhJgCglg/c
zrL8zQyzdh5es8Cu7E00t58=
=Kjaa
-----END PGP SIGNATURE-----



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users