Re: How to dump a certain number of tcp packets (for TCPDUMP) when an alert is fired

["Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>]

--On 06 September 2004 17:30 -0400 Jason <security () brvenik com> wrote:

> You still want log_tcpdump however you can create another output type for
> just the alerts you want to go into the tcpdump format file. You can
> create as many alert types as you would like for different files for
> different alerts... Just watch how they are ordered in the rare case you
> hit a dependency.
>
> http://www.snort.org/docs/snort_manual/node16.html#SECTION004210000000000
> 00000

Alternatively, FLoP will log packet data of the triggering packet and 
subsequent packets to the configured database. getpacket (included in the 
FLoP) distro can extract these packets to a pcap file that can be loaded by 
ethereal.

The next version (or maybe the version after :) of FLoP will preserve 
Snort's 'reference' tag through to the database. This allows getpacket to 
reconstruct any number of related packets into a single pcap file.

Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users