logging entire sessions

[Avleen Vig <avleen () ivision co uk>]

Anyone know if this feature is availible in Snort?
I've been playing arounf with 1.8.1 a bit and not as much as I should
have :)  but I've not seen anything like the following.

If indeed it's not availible, I'd like to suggest it as a feature for
<put version here>.


When an alert of type x is triggered, I can consider it minor and ignore
the one-off. Or type x could be traffic I see daily but don't want to
remove from my logs. We'll call type x 'non-hostile'.

Then there is type y. When I see packets of type y, I don't just want to
log them but I want to tcpdump the entire session with the offending src
forthe next z minutes. I would think this is a semi-obvious thing..
someone is attacking your network, so you capture all their traffic!

Is this possible?

--

Avleen Vig, Systems Administrator
Email: avleen () ivision co uk               Mobile: (07974) 100 573

Internet Vision                                Tel: 020 7589 4500
60 Albert Court                                Fax: 020 7589 4522
Prince Consort Road                            info () ivision co uk
London. SW7 2BE                         http://www.ivision.co.uk/


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users