Snort mailing list archives
Re: Packet Capture
From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Thu, 29 Jun 2017 20:30:14 +0000
Or the tagging feature: See the README.tag file. Taken from the file: Introduction ------------ Tagging packets is a way to continue logging packets from a session or host that generated an event in Snort. When an event is generated based on a rule that contains a tag option, information such as the IPs and ports involved, the type of tagging decision that should be made (by session or host), for how long to tag packets (the number of packets, seconds and/or bytes), the event id of the packet that generated the alert (to be included in the logging information with each tagged packet), etc. are saved into a data structure so that subsequent packets can be checked against this information and a decision can be made whether or not to tag/log the packet. Tagged traffic is logged to allow analysis of response codes and post-attack traffic. Tag alerts will be sent to the same output plugins as the original alert, but it is the responsibility of the output plugin to properly handle these special alerts. Currently, the database output plugin does not properly handle tag alerts. Snort will only check to see whether or not it should tag a packet if that packet did not generate an event. An exception to this is if the event was based on a PASS rule and that rule does not contain a tag option, that packet will be checked. Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: allewi <allewi () cisco com<mailto:allewi () cisco com>> Date: Thursday, June 29, 2017 at 3:39 PM To: Justin Pederson <jpedersm () gmail com<mailto:jpedersm () gmail com>>, "snort-users () lists snort org<mailto:snort-users () lists snort org>" <snort-users () lists snort org<mailto:snort-users () lists snort org>> Subject: Re: [Snort-users] Packet Capture Check out the session feature: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node34.html#SECTION00472000000000000000 Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of Justin Pederson via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort org>> Reply-To: Justin Pederson <jpedersm () gmail com<mailto:jpedersm () gmail com>> Date: Thursday, June 29, 2017 at 3:08 PM To: "snort-users () lists snort org<mailto:snort-users () lists snort org>" <snort-users () lists snort org<mailto:snort-users () lists snort org>> Subject: [Snort-users] Packet Capture Is there a way with snort to start a full pcap on an interface for the entire interface or specific IP based on an alert from the IDS?
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Packet Capture Justin Pederson via Snort-users (Jun 29)
- Re: Packet Capture Al Lewis (allewi) via Snort-users (Jun 29)
- Re: Packet Capture Al Lewis (allewi) via Snort-users (Jun 29)
- Re: Packet Capture Al Lewis (allewi) via Snort-users (Jun 29)