Snort mailing list archives
session:printable question
From: Taras Danko <gortaur () gmail com>
Date: Thu, 12 Nov 2009 18:25:57 +0200
Hello guys. I've got an assignment to dump all the application level data from all the telnet sessions destined to certain subnet in ASCII form using snort. My custom rule to accomplish this is the following: log tcp any any <> $SUBNET 23 (session:printable; sid:1000003;) Rule by itself is ok. The bad thing is the filename hierarchy of the captured session which looks like: /var/log/snort/<SRC_IP>/SESSION:<high_port>-<low-port> With current schema Im unable to identify the IP of destination host of a session. Only the source. It makes the whole dumping a half useless Does it possible to somehow add the dest_ip to the session filename or dirname or attach it to the session file in some other way? I know about other ways and tools to acomlish the same thing but I have no choice and need to defeat the snort's session:printable at the moment :) Thank your in advance. -- Regards, Taras Danko ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- session:printable question Taras Danko (Nov 12)