session:printable question

[Taras Danko <gortaur () gmail com>]

Hello guys.

I've got an assignment to dump all the application level data from all
the telnet sessions destined to certain subnet in ASCII form using
snort.
My custom rule to accomplish this is the following:

log tcp any any <> $SUBNET 23 (session:printable; sid:1000003;)

Rule by itself is ok. The bad thing is the filename hierarchy of the
captured session which looks like:
/var/log/snort/<SRC_IP>/SESSION:<high_port>-<low-port>

With current schema Im unable to identify the IP of destination host
of a session. Only the source. It makes the whole dumping a half
useless
Does it possible to somehow add the dest_ip to the session filename or
dirname or attach it to the session file in some other way?

I know about other ways and tools to acomlish the same thing but I
have no choice and need to defeat the snort's session:printable at the
moment :)

Thank your in advance.
-- 
Regards,
Taras Danko

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users