[Snort-devel] plugin idea
michael at ...613...
Mon Apr 5 07:08:22 EDT 2004
On Mon, 2004-04-05 at 17:42, Sergey Lyubka wrote:
> No. I was talking about pre-attack packets.
> tag keyword is for post-attack packets.
This has a very simple solution. Run another copy of snort that logs all
traffic to a pcap file (tcpdump also works). Then when a event of
interest occurs you can simply extract the relevant session/packets from
the pcap file and take a look at it.
This is all automated when you are using sguil (sguil.sf.net), and it is
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 189 bytes
Desc: This is a digitally signed message part
More information about the Snort-devel