Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: simultaneous snort and tcpdump

From: Gary Flynn <flynngn () jmu edu>
Date: Thu, 26 Sep 2002 17:18:16 -0400
Carl Gibbons wrote:


Okay, here's an example of what I'd like:  for every snort alert,
don't just save (into mmdd () hhmm-snort log) the packet that caused
the alert, but also save the ten preceeding and ten succeeding
packets between the same hosts.


I haven't used them yet but the activate/dynamic and tag rules are 
supposed to let you log packets AFTER a signature match occurs.

You'll probably have to roll your own solution with some type
of rolling buffer for those preceding packets though :)

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: