[Snort-users] content, session, and Streams

Crist J. Clark cjclark at ...960...
Tue Mar 6 03:42:49 EST 2001


I was trying to catch TCP sessions by triggering off of 'content' in a
packet. Does this work? I realize Snort is stateless (not couting
preprocessors), so I would not expect that you could capture a session
using a 'content' rule alone. However, if you are doing TCP streams, I
could see how this /might/ be possible? Is it? I'm guessing it is not;
I was playing around with it, looking over the source, and could not
get it to work. But I wanted to ask and make sure.
-- 
Crist J. Clark                           cjclark at ...485...




More information about the Snort-users mailing list