Snort mailing list archives
Re: Save reassembled session if keyword is found. 2
From: Hyun Yoo <easetheworld () gmail com>
Date: Wed, 26 Aug 2015 07:34:56 +0900
For email(smtp) stream analysis, i want whole session not pcap packets. If sender is xxx, or message contains xxx, i want to save the whole email text. 2015년 8월 26일 수요일, Joel Esler (jesler)<jesler () cisco com>님이 작성한 메시지:
Why would you do this? Just use Snort (or better yet, daemonlogger) to write the pcap traffic to disk. -- *Joel Esler* Manager, Threat Intelligence Team & Open Source Talos Group http://www.talosintel.com On Aug 25, 2015, at 5:52 PM, Hyun Yoo <easetheworld () gmail com <javascript:_e(%7B%7D,'cvml','easetheworld () gmail com');>> wrote: Another question with 'session:binary'. To save all tcp stream, I used a rule "alert tcp any any <> any any (session:binary)" It seems worked except the reassembled result is partly duplicated. for example 220 ESMTP ready EHLO 250 MAIL From:<abc () def com <javascript:_e(%7B%7D,'cvml','abc () def com');>> 421 QUIT EHLO // duplicated MAIL From:<abc () def com <javascript:_e(%7B%7D,'cvml','abc () def com');>> // duplicated Has anyone used 'session:binary' and seen this issue? Is this the only way to save the whole session? ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <javascript:_e(%7B%7D,'cvml','Snort-users () lists sourceforge net');> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Save reassembled session if keyword is found. 2 Hyun Yoo (Aug 25)
- Re: Save reassembled session if keyword is found. 2 Joel Esler (jesler) (Aug 25)
- Re: Save reassembled session if keyword is found. 2 Hyun Yoo (Aug 25)
- Re: Save reassembled session if keyword is found. 2 Joel Esler (jesler) (Aug 25)