[Snort-users] Dynamic rules

Simon Attwell attwell at ...461...
Fri Jan 26 09:53:03 EST 2001

In reading through some of the dynamic rule documentation I could find no clue to the following.

In the case that a packet trips a specific signature, on a content base, I would like to be able
to log the entire conversation from that point, i.e. all packets coming from that source
until a packet limit is reached or until a tcp fin is seen.

Is there a way to dynamically access the ip/tcp/udp header information from the packet that triggered 
the initial alert ?

	- Simon

Simon Attwell
Systems Engineer
5520 Research Park Drive
Madison, WI 53711
attwell at ...460...

Berbee... putting the E in business.

More information about the Snort-users mailing list