Selective pcaps on demand?

[Jeff Kell <jeff-kell () utc edu>]

I've been running snort for quite some time, snort+snortsam+mysql+base.  I am only using the database output plugin, 
and things have been fine.  But...

Is there a way to get pcap [tcpdump] captures of a specific signature? 

I tried using the rule "logto:" but that doesn't seem to work, never saw a file created anywhere (and yes, the rule 
fired, got the msg).

I tried setting up a new logtype:

> ruletype rogue
> {
>    type log
>    output log_tcpdump: rogues
> }

And using "rogue" rather than "alert" in the rule, this eventually sort-of worked, it created a logfile called 
"snort.[a long number]" which started with a dump of a matching packet, but then also had dumps of every other alert as 
well.

What am I missing here?  Can't you do this from a single snort instance?

Jeff



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users