Re: Displaying few packets before a matched packet

[Martin Holste <mcholste () gmail com>]

> Hey everyone,
> I'm new to snort and was wondering if this is possible. Suppose a packet is
> matched by an alert rule, is it possible to make snort display few of the
> preceding packets as well?

Not really, which is one of the reasons people run things like
daemonlogger.  We were just discussing alternatives last night with
things like URL logging.  Generally speaking, you should have
something doing general logging alongside Snort to provide context to
the alerts.  For general contextual information without the overhead
of full pcap, I recommend running Bro along with Snort.  It will
generically log connections, URL's, SMTP, SMTP entities, do full file
carving of HTTP/SMTP objects, etc.  That way when you get a Snort
alert, you can grep for the offending IP in your Bro logs to see what
it was up to.  There are many, many ways of doing this with other
solutions, this is just one example.

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!