Re: [Snort] - match entire session

[william de ping via Snort-sigs <snort-sigs () lists snort org>]

Tagging only works on capturing succeive packets after a successful match,
correct ?
I want to capture a few packets in the session prior to the matched packet.



On Mon, Jul 6, 2020 at 5:51 AM Al Lewis (allewi) <allewi () cisco com> wrote:

> Have you tried tagging the session?
>
>
>
>
> http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node34.html#SECTION00475000000000000000
>
>
>
>
>
>
>
> *Albert Lewis*
>
> ENGINEER.SOFTWARE ENGINEERING
>
> Cisco Systems Inc.
>
> Email: allewi () cisco com
>
>
>
>
>
>
>
> *From: *Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of
> william de ping via Snort-sigs <snort-sigs () lists snort org>
> *Reply-To: *william de ping <bill.de.ping () gmail com>
> *Date: *Sunday, July 5, 2020 at 9:50 AM
> *To: *"snort-sigs () lists snort org" <snort-sigs () lists snort org>
> *Subject: *[Snort-sigs] [Snort] - match entire session
>
>
>
> Hi all,
>
>
>
> Does anyone know a way to capture the entire session even if the signature
> is matched on the 4th packet of a session ?
>
> I would somehow like to get the 2nd and 3rd packets of that session
>
>
>
> Thank you very much
>
> B
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!