[Snort-sigs] capturing and inspecting an email!
bmc at ...95...
Mon Jul 7 15:35:03 EDT 2003
On Fri, Jul 04, 2003 at 06:09:57PM -0400, "H?roux, Christian" wrote:
> I would like to make a rule not base on a single packet but on the whole sequence of packet forming an email to check for the word "password" and log that email. I have checked the rules and they only inspect at the level packet! How do you use the preprocess Stream4 when writing a rule?
snort doesn't buffer packets previous to an alert being generated. You
can log the rest of the session with a 'tag' keyword, but you won't get
any packets in the session before the alert is generated.
More information about the Snort-sigs