[Snort-sigs] Snort PCAP on selected rules

Joel Esler jesler at ...435...
Thu Oct 4 09:39:37 EDT 2012


On Oct 4, 2012, at 12:38 AM, Mr. Qoheleth <qoheleth26 at ...2420...> wrote:

> Hello all once again!
> 
> I have another question I was unable to find out:  Snort has the ability to capture the traffic in pcap files.  I am hoping there is a way to only start capturing the traffic of a conversation that matched a rule alert?  So in orther words, I do not wish to save every packet on my network in my pcap files; I only wish to save packets that match a detected attack.  So is there a way that once an alert fires, then I can have snort begin to log all traffic relating to that conversation in a pcap file?
> 
> Thanks again so much!

http://manual.snort.org/node34.html#SECTION00475000000000000000
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20121004/64329a35/attachment.html>


More information about the Snort-sigs mailing list