RE: Stream/Packet Capture with Snort

["Paul Melson" <psmelson () comcast net>]

Marc,

Thanks for the reply.  Unfortunately for my case, I don't think adding tags
to my rules will be much help in getting SMTP headers for messages that
trigger a rule with body content.  Can you think of a [minimally disruptive]
way to cause SMTP traffic to undergo stream reassembly by Snort?

Alternately, would it be possible to use a rule pair and tagging to achieve
what I wanted?  Something like this:

# Tag and log SMTP streams
log tcp $HOME_NET any -> $EXTERNAL_NET 25 (flags:s,12;
tag:session,500,packets;)

# Now throw SMTP streams that match my regex into the database
alert tcp $HOME_NET any -> $EXTERNAL_Net 25 (msg:"Bad Things(tm) in SMTP";
pcre:"bad\ things"; classtype: attempted-admin; priority: 2; sid:123456789;
tag:session,500,packets;)

Seems like a shot in the dark, but...

PaulM

-----Original Message-----
Subject: Re: [Snort-users] Stream/Packet Capture with Snort

You cannot capture packets prior to the event packet, usually.  The
exception is if the session data is being reassembled.  If a specific stream
is being saved for reassembly and an event packet comes along, all of the
saved packets are logged.  Otherwise, snort does not buffer up session data
as would be needed to log packets prior to an event generating packet. Once
a packet causes an event you can use event tagging to log the rest of the
session.




-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users