Snort mailing list archives

RE: logging entire sessions

From: gary.smith () ScottishAmicable co uk
Date: Wed, 22 Aug 2001 10:03:31 +0100

Avleen:

You could try the following (we are predominantly a windows shop, apologies
to the zealots ;> )

Alert via syslog to Kiwi-Enterprises Syslog daemon on first packet.
Syslog daemon is configured to fire a batch file upon reception of a packet.
Batch file starts windump (tcpdump for windows) and then schedules a
termination in z minutes using at.exe scheduler and pskill.exe (from
sysinternals.com)


--Gary;
 

Message: 11
Date: Wed, 22 Aug 2001 00:48:01 +0100 (BST)
From: Avleen Vig <avleen () ivision co uk>
To:  <snort-users () lists sourceforge net>
Subject: [Snort-users] logging entire sessions

Anyone know if this feature is availible in Snort?
I've been playing arounf with 1.8.1 a bit and not as much as I should
have :)  but I've not seen anything like the following.

If indeed it's not availible, I'd like to suggest it as a feature for
<put version here>.


When an alert of type x is triggered, I can consider it minor and ignore
the one-off. Or type x could be traffic I see daily but don't want to
remove from my logs. We'll call type x 'non-hostile'.

Then there is type y. When I see packets of type y, I don't just want to
log them but I want to tcpdump the entire session with the offending src
forthe next z minutes. I would think this is a semi-obvious thing..
someone is attacking your network, so you capture all their traffic!

Is this possible?

--

Avleen Vig, Systems Administrator
Email: avleen () ivision co uk               Mobile: (07974) 100 573

Internet Vision                                Tel: 020 7589 4500
60 Albert Court                                Fax: 020 7589 4522
Prince Consort Road                            info () ivision co uk
London. SW7 2BE                         http://www.ivision.co.uk/




**********************************************************************
Information contained herein is the sole responsibility of the Individual
sending the message. No responsibility is admitted by Scottish Amicable
for any loss or damage incurred through use of the email. In addition, no
statement should be construed as giving investment advice within or
outside the United Kingdom.
An email reply to this address may be subject to interception or monitoring
for operational reasons or for lawful business practices.
*********************************************************************

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

logging entire sessions Avleen Vig (Aug 21)
- Re: logging entire sessions Chris Green (Aug 21)
- <Possible follow-ups>
- Re: logging entire sessions Erek Adams (Aug 21)
- RE: logging entire sessions gary . smith (Aug 22)