Alerts and packet capture - MYSQL

[Snow Jacob C KPWA <JacobSC () kpt nuwc navy mil>]

I am using snort 2.0 to capture data based on a custom rule: 

alert tcp $HOME_NET any -> $EXTERNAL_NET :1024 (msg:"Syn
Outbound";flags:S;tag:session,2,packets;)

 

and logging this information to a MySQL database.  I then want to look
through this data to see if a synack is sent back (aka a complete
handshake/connection).  I am capturing additional packets as well.  When I
try and view the additional packets in snort I am only getting the packet
that triggers the rule not the extra packets that were captured.  Is there a
way to view this information with acid or am I stuck doing it by hand. 

 

Also is there a way to right the rule such that it won't trigger if I don't
get a synack back?  Does ACID already do this and I am missing something?  A
little advice from the snort guru's and everyone else would be nice :-).

 

Thank you,

 

Jacob Snow

jacobsc () kpt nuwc navy mil <mailto:jacobsc () kpt nuwc navy mil> 

(360)315-3487

NAVSEA Intern