[Snort-sigs] Fwd: Re: Snort PCAP on selected rules

Edward Fjellskål edwardfjellskaal at ...2420...
Thu Oct 4 14:52:25 EDT 2012

I hit reply but I meant to reply to list :)

-------- Original Message --------
Subject: 	Re: [Snort-sigs] Snort PCAP on selected rules
Date: 	Thu, 04 Oct 2012 17:02:42 +0200
From: 	Edward Fjellskål <edwardfjellskaal at ...2420...>
To: 	Mr. Qoheleth <qoheleth26 at ...2420...>

Here is an example:

On 10/04/2012 06:38 AM, Mr. Qoheleth wrote:
> Hello all once again!
> I have another question I was unable to find out:  Snort has the 
> ability to capture the traffic in pcap files.  I am hoping there is a 
> way to only start capturing the traffic of a conversation that matched 
> a rule alert?  So in orther words, I do not wish to save every packet 
> on my network in my pcap files; I only wish to save packets that match 
> a detected attack.  So is there a way that once an alert fires, then I 
> can have snort begin to log all traffic relating to that conversation 
> in a pcap file?
> Thanks again so much!
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visithttp://blog.snort.org  for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20121004/ade43d33/attachment.html>

More information about the Snort-sigs mailing list