[Snort-users] content, session, and Streams
Crist J. Clark
cjclark at ...960...
Tue Mar 6 03:42:49 EST 2001
I was trying to catch TCP sessions by triggering off of 'content' in a
packet. Does this work? I realize Snort is stateless (not couting
preprocessors), so I would not expect that you could capture a session
using a 'content' rule alone. However, if you are doing TCP streams, I
could see how this /might/ be possible? Is it? I'm guessing it is not;
I was playing around with it, looking over the source, and could not
get it to work. But I wanted to ask and make sure.
Crist J. Clark cjclark at ...485...
More information about the Snort-users