[Snort-sigs] Snort PCAP on selected rules

AllowOverride allowoverride at ...2420...
Thu Oct 4 12:26:16 EDT 2012


i would like to see an example of this, could someone post it as
attachment? taggin syntax examples. where would we put this, in
local.rules? also, can local.rules and snort.rules (pulledpork one rule
file) both be used? i am starting to see that there is a few ways to
read rules, still unclear exactly, but getting there. thanks

On Thu, 2012-10-04 at 09:39 -0400, Joel Esler wrote:
> On Oct 4, 2012, at 12:38 AM, Mr. Qoheleth <qoheleth26 at ...2420...>
> wrote:
> 
> > Hello all once again!
> > 
> > 
> > I have another question I was unable to find out:  Snort has the
> > ability to capture the traffic in pcap files.  I am hoping there is
> > a way to only start capturing the traffic of a conversation that
> > matched a rule alert?  So in orther words, I do not wish to save
> > every packet on my network in my pcap files; I only wish to save
> > packets that match a detected attack.  So is there a way that once
> > an alert fires, then I can have snort begin to log all traffic
> > relating to that conversation in a pcap file?
> > 
> > 
> > Thanks again so much!
> 
> http://manual.snort.org/node34.html#SECTION00475000000000000000
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________ Snort-sigs mailing list Snort-sigs at lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-sigs mailing list