Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Help

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 21 Jan 2003 12:07:28 -0500
No you can not reconstruct all that traffic from your snort logs unless all the tcp port 25 traffic generated alerts that caused the packets to be logged.
I suppose you could write a rule to cause all traffic from that user to port 25 to be logged by snort, but that's a silly thing to do.
Just use tcpdump and leave snort out of it.. this kind of 'log everything matching a simple IP/port combination" is what tcpdump was designed to do.
Snort is intended to sift through lots of traffic looking for more complicated things like strings and only log a small portion of the traffic which matches them. To use it as a tcpdump replacement is pretty silly. 


At 12:00 PM 1/20/2003 -0500, Guru Cumarasamy wrote:
Is it possible to re-construct TCP packets in snort? for example my employer wants to know all smtp communication between an employee and an outside user, can I go and re-construct all TCP port 25 traffic from the snort log. I am running snort with the -b option. 

Thanks in advance




-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: