Snort mailing list archives
Re: simultaneous snort and tcpdump
From: Gary Flynn <flynngn () jmu edu>
Date: Thu, 26 Sep 2002 17:18:16 -0400
Carl Gibbons wrote:
Okay, here's an example of what I'd like: for every snort alert, don't just save (into mmdd () hhmm-snort log) the packet that caused the alert, but also save the ten preceeding and ten succeeding packets between the same hosts.
I haven't used them yet but the activate/dynamic and tag rules are supposed to let you log packets AFTER a signature match occurs. You'll probably have to roll your own solution with some type of rolling buffer for those preceding packets though :) -- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- simultaneous snort and tcpdump Carl Gibbons (Sep 20)
- Re: simultaneous snort and tcpdump Bennett Todd (Sep 20)
- Re: simultaneous snort and tcpdump Gary Flynn (Sep 20)
- Re: simultaneous snort and tcpdump Carl Gibbons (Sep 21)
- Re: simultaneous snort and tcpdump Jason (Sep 22)
- Re: simultaneous snort and tcpdump Carl Gibbons (Sep 26)
- Re: simultaneous snort and tcpdump Bennett Todd (Sep 26)
- Re: simultaneous snort and tcpdump Carl Gibbons (Sep 26)
- Re: simultaneous snort and tcpdump Jason (Sep 26)
- Re: simultaneous snort and tcpdump Gary Flynn (Sep 20)
- Re: simultaneous snort and tcpdump Gary Flynn (Sep 26)
- Re: simultaneous snort and tcpdump Martin Roesch (Sep 26)
- Re: simultaneous snort and tcpdump Bennett Todd (Sep 20)