Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: logging entire sessions

From: Chris Green <cmg () uab edu>
Date: 21 Aug 2001 22:40:36 -0500
Avleen Vig <avleen () ivision co uk> writes:



Then there is type y. When I see packets of type y, I don't just want to
log them but I want to tcpdump the entire session with the offending src
forthe next z minutes. I would think this is a semi-obvious thing..
someone is attacking your network, so you capture all their traffic!

Is this possible?



Look at tag: in snort 1.8.1

add

tag: host, 10, seconds;

to specific rules to log the packets from that machine for the next 10
seconds.

This is extroidinarily useful for examining responses from exploit
attempts as well
-- 
Chris Green <cmg () uab edu>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: