Re: Packet Capture

["Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>]

Or the tagging feature:

See the README.tag file.

Taken from the file:

Introduction
------------
Tagging packets is a way to continue logging packets from a session or host
that generated an event in Snort.  When an event is generated based on a rule
that contains a tag option, information such as the IPs and ports involved, the
type of tagging decision that should be made (by session or host), for how long
to tag packets (the number of packets, seconds and/or bytes), the event id of
the packet that generated the alert (to be included in the logging information
with each tagged packet), etc. are saved into a data structure so that
subsequent packets can be checked against this information and a decision can
be made whether or not to tag/log the packet.  Tagged traffic is logged to
allow analysis of response codes and post-attack traffic.  Tag alerts will be
sent to the same output plugins as the original alert, but it is the
responsibility of the output plugin to properly handle these special alerts.
Currently, the database output plugin does not properly handle tag alerts.

Snort will only check to see whether or not it should tag a packet if that
packet did not generate an event.  An exception to this is if the event was
based on a PASS rule and that rule does not contain a tag option, that packet
will be checked.



Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: allewi <allewi () cisco com<mailto:allewi () cisco com>>
Date: Thursday, June 29, 2017 at 3:39 PM
To: Justin Pederson <jpedersm () gmail com<mailto:jpedersm () gmail com>>, "snort-users () lists snort 
org<mailto:snort-users () lists snort org>" <snort-users () lists snort org<mailto:snort-users () lists snort org>>
Subject: Re: [Snort-users] Packet Capture

Check out the session feature:

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node34.html#SECTION00472000000000000000


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of 
Justin Pederson via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort org>>
Reply-To: Justin Pederson <jpedersm () gmail com<mailto:jpedersm () gmail com>>
Date: Thursday, June 29, 2017 at 3:08 PM
To: "snort-users () lists snort org<mailto:snort-users () lists snort org>" <snort-users () lists snort 
org<mailto:snort-users () lists snort org>>
Subject: [Snort-users] Packet Capture

Is there a way with snort to start a full pcap on an interface for the entire interface or specific IP based on an 
alert from the IDS?

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!