Snort mailing list archives
RE: Stream/Packet Capture with Snort
From: "Paul Melson" <psmelson () comcast net>
Date: Tue, 10 May 2005 11:39:07 -0400
Marc, Thanks for the reply. Unfortunately for my case, I don't think adding tags to my rules will be much help in getting SMTP headers for messages that trigger a rule with body content. Can you think of a [minimally disruptive] way to cause SMTP traffic to undergo stream reassembly by Snort? Alternately, would it be possible to use a rule pair and tagging to achieve what I wanted? Something like this: # Tag and log SMTP streams log tcp $HOME_NET any -> $EXTERNAL_NET 25 (flags:s,12; tag:session,500,packets;) # Now throw SMTP streams that match my regex into the database alert tcp $HOME_NET any -> $EXTERNAL_Net 25 (msg:"Bad Things(tm) in SMTP"; pcre:"bad\ things"; classtype: attempted-admin; priority: 2; sid:123456789; tag:session,500,packets;) Seems like a shot in the dark, but... PaulM -----Original Message----- Subject: Re: [Snort-users] Stream/Packet Capture with Snort You cannot capture packets prior to the event packet, usually. The exception is if the session data is being reassembled. If a specific stream is being saved for reassembly and an event packet comes along, all of the saved packets are logged. Otherwise, snort does not buffer up session data as would be needed to log packets prior to an event generating packet. Once a packet causes an event you can use event tagging to log the rest of the session. ------------------------------------------------------- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IP address format in database nadias (May 04)
- Re: IP address format in database Wes Young (May 05)
- Stream/Packet Capture with Snort Paul Melson (May 09)
- Re: Stream/Packet Capture with Snort Marc Norton (May 11)
- RE: Stream/Packet Capture with Snort Paul Melson (May 10)
- Stream/Packet Capture with Snort Paul Melson (May 09)
- Re: IP address format in database Wes Young (May 05)
- Re: IP address format in database Adam Pointon (May 10)