Snort mailing list archives
Selective pcaps on demand?
From: Jeff Kell <jeff-kell () utc edu>
Date: Fri, 19 Aug 2005 11:19:29 -0400
I've been running snort for quite some time, snort+snortsam+mysql+base. I am only using the database output plugin, and things have been fine. But... Is there a way to get pcap [tcpdump] captures of a specific signature? I tried using the rule "logto:" but that doesn't seem to work, never saw a file created anywhere (and yes, the rule fired, got the msg). I tried setting up a new logtype:
ruletype rogue { type log output log_tcpdump: rogues }
And using "rogue" rather than "alert" in the rule, this eventually sort-of worked, it created a logfile called "snort.[a long number]" which started with a dump of a matching packet, but then also had dumps of every other alert as well. What am I missing here? Can't you do this from a single snort instance? Jeff ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Selective pcaps on demand? Jeff Kell (Aug 19)