[Snort-devel] plugin idea

Martin Roesch roesch at ...402...
Fri Apr 2 08:17:09 EST 2004


The tag keyword already lets you do that...

http://www.snort.org/docs/snort_manual/ 
node16.html#SECTION00375000000000000000

     -Marty

On Apr 2, 2004, at 3:21 AM, Sergey Lyubka wrote:

> What do you think about this:
> making a plugin that stores all, say, tcp session from the very first  
> packet
> to the very last for some rules.
> example: you have a match, say, in some smtp rule. The beginning of the
> stream with smtp headers already lost, as well as lost all subsequent
> packets. So you mark that smtp rule with some keyword, and when it is
> matched, full stream is saved say in pcap file for further  
> investigation.
>
> On Thu, Apr 01, 2004 at 08:42:27PM +0200, Piotr Kowalczyk wrote:
>> Hello World\n
>> University as fast as possible), please.
>> I'd be _extremely_ grateful,
>> and thank you in advance
>>
>> 	Piotr Kowalczyk
>>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-devel mailing list