Snort mailing list archives
Re: Help
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 21 Jan 2003 12:07:28 -0500
No you can not reconstruct all that traffic from your snort logs unless all the tcp port 25 traffic generated alerts that caused the packets to be logged.
I suppose you could write a rule to cause all traffic from that user to port 25 to be logged by snort, but that's a silly thing to do.
Just use tcpdump and leave snort out of it.. this kind of 'log everything matching a simple IP/port combination" is what tcpdump was designed to do.
Snort is intended to sift through lots of traffic looking for more complicated things like strings and only log a small portion of the traffic which matches them. To use it as a tcpdump replacement is pretty silly.
At 12:00 PM 1/20/2003 -0500, Guru Cumarasamy wrote:
Is it possible to re-construct TCP packets in snort? for example my employer wants to know all smtp communication between an employee and an outside user, can I go and re-construct all TCP port 25 traffic from the snort log. I am running snort with the -b option.Thanks in advance
------------------------------------------------------- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help Guru Cumarasamy (Jan 21)
- Re: Help Matt Kettler (Jan 21)