[Snort-sigs] capturing and inspecting an email!

Brian bmc at ...95...
Mon Jul 7 15:35:03 EDT 2003


On Fri, Jul 04, 2003 at 06:09:57PM -0400, "H?roux, Christian" wrote:
>       I would like to make a rule not base on a single packet but on the whole sequence of packet forming an email to check for the word "password" and log that email. I have checked the rules and they only inspect at the level packet! How do you use the preprocess Stream4 when writing a rule?

snort doesn't buffer packets previous to an alert being generated.  You
can log the rest of the session with a 'tag' keyword, but you won't get 
any packets in the session before the alert is generated.

-brian




More information about the Snort-sigs mailing list