Snort mailing list archives
Re: logging entire sessions
From: Chris Green <cmg () uab edu>
Date: 21 Aug 2001 22:40:36 -0500
Avleen Vig <avleen () ivision co uk> writes:
Then there is type y. When I see packets of type y, I don't just want to log them but I want to tcpdump the entire session with the offending src forthe next z minutes. I would think this is a semi-obvious thing.. someone is attacking your network, so you capture all their traffic! Is this possible?
Look at tag: in snort 1.8.1 add tag: host, 10, seconds; to specific rules to log the packets from that machine for the next 10 seconds. This is extroidinarily useful for examining responses from exploit attempts as well -- Chris Green <cmg () uab edu> I've had a perfectly wonderful evening. But this wasn't it. -- Groucho Marx _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- logging entire sessions Avleen Vig (Aug 21)
- Re: logging entire sessions Chris Green (Aug 21)
- <Possible follow-ups>
- Re: logging entire sessions Erek Adams (Aug 21)
- RE: logging entire sessions gary . smith (Aug 22)