Snort mailing list archives
Alerts and packet capture - MYSQL
From: Snow Jacob C KPWA <JacobSC () kpt nuwc navy mil>
Date: Mon, 19 May 2003 11:25:34 -0700
I am using snort 2.0 to capture data based on a custom rule: alert tcp $HOME_NET any -> $EXTERNAL_NET :1024 (msg:"Syn Outbound";flags:S;tag:session,2,packets;) and logging this information to a MySQL database. I then want to look through this data to see if a synack is sent back (aka a complete handshake/connection). I am capturing additional packets as well. When I try and view the additional packets in snort I am only getting the packet that triggers the rule not the extra packets that were captured. Is there a way to view this information with acid or am I stuck doing it by hand. Also is there a way to right the rule such that it won't trigger if I don't get a synack back? Does ACID already do this and I am missing something? A little advice from the snort guru's and everyone else would be nice :-). Thank you, Jacob Snow jacobsc () kpt nuwc navy mil <mailto:jacobsc () kpt nuwc navy mil> (360)315-3487 NAVSEA Intern
Current thread:
- Alerts and packet capture - MYSQL Snow Jacob C KPWA (May 19)
- Re: Alerts and packet capture - MYSQL Erek Adams (May 19)
- <Possible follow-ups>
- Alerts and packet capture - MYSQL Snow Jacob C KPWA (May 19)