[Snort-devel] plugin idea

Michael Boman michael at ...613...
Mon Apr 5 07:08:22 EDT 2004

On Mon, 2004-04-05 at 17:42, Sergey Lyubka wrote:
> No. I was talking about pre-attack packets.
> tag keyword is for post-attack packets.

This has a very simple solution. Run another copy of snort that logs all
traffic to a pcap file (tcpdump also works). Then when a event of
interest occurs you can simply extract the relevant session/packets from
the pcap file and take a look at it.

This is all automated when you are using sguil (sguil.sf.net), and it is
*very* useful.

Michael Boman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20040405/ce39eb54/attachment.sig>

More information about the Snort-devel mailing list