Re: Rules Question

[Erek Adams <erek () snort org>]

On Tue, 5 Aug 2003, Stevo wrote:

> I'm creating some new rules to use... I'm looking for certain keywords
> in packets and have got the rule working, but I'm interested in seeing
> more of the Payload... right now I'm just getting the line that includes
> that keyword...  how can I tell ACID to show me 10 lines on either side
> of the keyword for example??

You can't.  It's not a function of ACID.

Snort fires an alert.  That alert contains all the packet data, but ONLY
for the single packet that created the alert.  No more.  You'd need to
capture the packets before and after the one that triggered the alert.
You can use tagging to do that (sorta), but only from _that_ point.  If
the alert triggers on packet X, then you could tag packets X + Z, but not
X - Z.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users