Snort mailing list archives
tag keyword for TCP sessions
From: "Emmanuel Dardaine" <emmanuel.dardaine () smart-telecom ch>
Date: Thu, 24 Apr 2003 09:47:09 +0200
Hi there, Let me first explain what I'm aiming to do with my Snort installation: - I would like to intercept email on particular keywords (say email address for example) - once the email address has been identified, I would like to capture the remaining messages (if spread over several frames) until the end. In order to achieve this, I used the tag option, but without success. Even if I use the direction operator (say tag:host,300,packets,src), I get all the TCP segments in both directions. Here the rule I use: log tcp any any -> any 25 (content:"email@ddress"; content:!"FROM\:"; content:!"RCPT TO\:"; tag:host,300,packets,src; msg:"Intercepted email";) Shall I use the alert keyword, instead of log? Who had similar experience? Any hint about this kind of logging? Thanks for your help, Emmanuel ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- tag keyword for TCP sessions Emmanuel Dardaine (Apr 24)