Snort mailing list archives
RE: logging entire sessions
From: gary.smith () ScottishAmicable co uk
Date: Wed, 22 Aug 2001 10:03:31 +0100
Avleen: You could try the following (we are predominantly a windows shop, apologies to the zealots ;> ) Alert via syslog to Kiwi-Enterprises Syslog daemon on first packet. Syslog daemon is configured to fire a batch file upon reception of a packet. Batch file starts windump (tcpdump for windows) and then schedules a termination in z minutes using at.exe scheduler and pskill.exe (from sysinternals.com) --Gary; Message: 11 Date: Wed, 22 Aug 2001 00:48:01 +0100 (BST) From: Avleen Vig <avleen () ivision co uk> To: <snort-users () lists sourceforge net> Subject: [Snort-users] logging entire sessions Anyone know if this feature is availible in Snort? I've been playing arounf with 1.8.1 a bit and not as much as I should have :) but I've not seen anything like the following. If indeed it's not availible, I'd like to suggest it as a feature for <put version here>. When an alert of type x is triggered, I can consider it minor and ignore the one-off. Or type x could be traffic I see daily but don't want to remove from my logs. We'll call type x 'non-hostile'. Then there is type y. When I see packets of type y, I don't just want to log them but I want to tcpdump the entire session with the offending src forthe next z minutes. I would think this is a semi-obvious thing.. someone is attacking your network, so you capture all their traffic! Is this possible? -- Avleen Vig, Systems Administrator Email: avleen () ivision co uk Mobile: (07974) 100 573 Internet Vision Tel: 020 7589 4500 60 Albert Court Fax: 020 7589 4522 Prince Consort Road info () ivision co uk London. SW7 2BE http://www.ivision.co.uk/ ********************************************************************** Information contained herein is the sole responsibility of the Individual sending the message. No responsibility is admitted by Scottish Amicable for any loss or damage incurred through use of the email. In addition, no statement should be construed as giving investment advice within or outside the United Kingdom. An email reply to this address may be subject to interception or monitoring for operational reasons or for lawful business practices. ********************************************************************* _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- logging entire sessions Avleen Vig (Aug 21)
- Re: logging entire sessions Chris Green (Aug 21)
- <Possible follow-ups>
- Re: logging entire sessions Erek Adams (Aug 21)
- RE: logging entire sessions gary . smith (Aug 22)