Snort mailing list archives

Re: Snort PCAP on selected rules

From: AllowOverride <allowoverride () gmail com>
Date: Thu, 04 Oct 2012 09:26:16 -0700

i would like to see an example of this, could someone post it as
attachment? taggin syntax examples. where would we put this, in
local.rules? also, can local.rules and snort.rules (pulledpork one rule
file) both be used? i am starting to see that there is a few ways to
read rules, still unclear exactly, but getting there. thanks

On Thu, 2012-10-04 at 09:39 -0400, Joel Esler wrote:

On Oct 4, 2012, at 12:38 AM, Mr. Qoheleth <qoheleth26 () gmail com>
wrote:

Hello all once again!


I have another question I was unable to find out:  Snort has the
ability to capture the traffic in pcap files.  I am hoping there is
a way to only start capturing the traffic of a conversation that
matched a rule alert?  So in orther words, I do not wish to save
every packet on my network in my pcap files; I only wish to save
packets that match a detected attack.  So is there a way that once
an alert fires, then I can have snort begin to log all traffic
relating to that conversation in a pcap file?


Thanks again so much!


http://manual.snort.org/node34.html#SECTION00475000000000000000
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net 
https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for 
the latest news about Snort!



------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort PCAP on selected rules Mr. Qoheleth (Oct 04)
- Re: Snort PCAP on selected rules Joel Esler (Oct 04)
  - Re: Snort PCAP on selected rules AllowOverride (Oct 04)
- <Possible follow-ups>
- Fwd: Re: Snort PCAP on selected rules Edward Fjellskål (Oct 04)