[Snort-devel] plugin idea

SRH-Lists giermo at ...2099...
Mon Apr 5 14:01:09 EDT 2004

Ahh, you must be looking for spp_psychic :)
But seriously, it would be very impractical, if not impossible to have
snort keep every session in memory (or disk for that matter) just in
case a signature fired later on in the session.

However, if you set up another instance of snort, or tcpdump for that
matter, that logs all traffic to pcap files and then create some sort of
tool that allows you to pick out a snort alert and pull up the related
pcap data, you will have just what you want.

And, 'cause I am a nice guy, we went and wrote a tool that does just
that, and a whole bunch of other stuff.



> No. I was talking about pre-attack packets.
> tag keyword is for post-attack packets.
> On Fri, Apr 02, 2004 at 11:17:09AM -0500, Martin Roesch wrote:
> > The tag keyword already lets you do that...
> > 
> > http://www.snort.org/docs/snort_manual/ 
> > node16.html#SECTION00375000000000000000
> > 
> >      -Marty
> > 
> > On Apr 2, 2004, at 3:21 AM, Sergey Lyubka wrote:

More information about the Snort-devel mailing list