Snort mailing list archives
Re: Snort PCAP on selected rules
From: AllowOverride <allowoverride () gmail com>
Date: Thu, 04 Oct 2012 09:26:16 -0700
i would like to see an example of this, could someone post it as attachment? taggin syntax examples. where would we put this, in local.rules? also, can local.rules and snort.rules (pulledpork one rule file) both be used? i am starting to see that there is a few ways to read rules, still unclear exactly, but getting there. thanks On Thu, 2012-10-04 at 09:39 -0400, Joel Esler wrote:
On Oct 4, 2012, at 12:38 AM, Mr. Qoheleth <qoheleth26 () gmail com> wrote:Hello all once again! I have another question I was unable to find out: Snort has the ability to capture the traffic in pcap files. I am hoping there is a way to only start capturing the traffic of a conversation that matched a rule alert? So in orther words, I do not wish to save every packet on my network in my pcap files; I only wish to save packets that match a detected attack. So is there a way that once an alert fires, then I can have snort begin to log all traffic relating to that conversation in a pcap file? Thanks again so much!http://manual.snort.org/node34.html#SECTION00475000000000000000 ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort PCAP on selected rules Mr. Qoheleth (Oct 04)
- Re: Snort PCAP on selected rules Joel Esler (Oct 04)
- Re: Snort PCAP on selected rules AllowOverride (Oct 04)
- <Possible follow-ups>
- Fwd: Re: Snort PCAP on selected rules Edward Fjellskål (Oct 04)
- Re: Snort PCAP on selected rules Joel Esler (Oct 04)