[Snort-sigs] Snort PCAP on selected rules

Mr. Qoheleth qoheleth26 at ...2420...
Thu Oct 4 00:38:58 EDT 2012


Hello all once again!

I have another question I was unable to find out:  Snort has the ability to
capture the traffic in pcap files.  I am hoping there is a way to only
start capturing the traffic of a conversation that matched a rule alert?
 So in orther words, I do not wish to save every packet on my network in my
pcap files; I only wish to save packets that match a detected attack.  So
is there a way that once an alert fires, then I can have snort begin to log
all traffic relating to that conversation in a pcap file?

Thanks again so much!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20121004/cacedda3/attachment.html>


More information about the Snort-sigs mailing list