tag keyword for TCP sessions

["Emmanuel Dardaine" <emmanuel.dardaine () smart-telecom ch>]

Hi there,

Let me first explain what I'm aiming to do with my Snort installation:
- I would like to intercept email on particular keywords (say email address
for example)
- once the email address has been identified, I would like to capture the
remaining messages (if spread over several frames) until the end.

In order to achieve this, I used the tag option, but without success. Even
if I use the direction operator (say tag:host,300,packets,src), I get all
the TCP segments in both directions. Here the rule I use:

log tcp any any -> any 25 (content:"email@ddress"; content:!"FROM\:";
content:!"RCPT TO\:"; tag:host,300,packets,src; msg:"Intercepted email";)

Shall I use the alert keyword, instead of log? Who had similar experience?
Any hint about this kind of logging?

Thanks for your help,
Emmanuel



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users