Snort mailing list archives
Fwd: Re: Snort PCAP on selected rules
From: "Edward Fjellskål" <edwardfjellskaal () gmail com>
Date: Thu, 04 Oct 2012 20:52:25 +0200
I hit reply but I meant to reply to list :) -------- Original Message -------- Subject: Re: [Snort-sigs] Snort PCAP on selected rules Date: Thu, 04 Oct 2012 17:02:42 +0200 From: Edward Fjellskål <edwardfjellskaal () gmail com> To: Mr. Qoheleth <qoheleth26 () gmail com> Here is an example: http://www.gamelinux.org/?p=329 On 10/04/2012 06:38 AM, Mr. Qoheleth wrote:
Hello all once again!I have another question I was unable to find out: Snort has the ability to capture the traffic in pcap files. I am hoping there is a way to only start capturing the traffic of a conversation that matched a rule alert? So in orther words, I do not wish to save every packet on my network in my pcap files; I only wish to save packets that match a detected attack. So is there a way that once an alert fires, then I can have snort begin to log all traffic relating to that conversation in a pcap file?Thanks again so much! ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visithttp://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort PCAP on selected rules Mr. Qoheleth (Oct 04)
- Re: Snort PCAP on selected rules Joel Esler (Oct 04)
- Re: Snort PCAP on selected rules AllowOverride (Oct 04)
- <Possible follow-ups>
- Fwd: Re: Snort PCAP on selected rules Edward Fjellskål (Oct 04)
- Re: Snort PCAP on selected rules Joel Esler (Oct 04)