[Snort-users] content, session, and Streams

Martin Roesch roesch at ...421...
Wed Mar 7 00:49:59 EST 2001

Turn on the stream preprocessor and you should be able to do content
matching on reassembled TCP streams.  If you merely want to capture the
session traffic, use the "session" rule option in a bidirectional rule
for the IP addresses and ports you're interested in and it'll log all
the plaintext data in the connection.  If you want to trigger logging
based on a content match, try the new tag option that's available in the
latest code in CVS.


"Crist J. Clark" wrote:
> I was trying to catch TCP sessions by triggering off of 'content' in a
> packet. Does this work? I realize Snort is stateless (not couting
> preprocessors), so I would not expect that you could capture a session
> using a 'content' rule alone. However, if you are doing TCP streams, I
> could see how this /might/ be possible? Is it? I'm guessing it is not;
> I was playing around with it, looking over the source, and could not
> get it to work. But I wanted to ask and make sure.
> --
> Crist J. Clark                           cjclark at ...485...
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

Martin Roesch
roesch at ...421...

More information about the Snort-users mailing list