[Snort-users] Capturing Packets on Demand

Chris Green cmg at ...671...
Tue Oct 2 12:14:07 EDT 2001

"Migus, Adam" <Adam_Migus at ...2706...> writes:

> Folks,
> I'm sure this question has probably been asked many times before but
> a quick scan of the FAQ revealed nothing so I'll ask again.
> What I want to do is this:
> For a given rule when the rule is triggered I want to log in tcpdump

Tagging in 1.8.1 is what you want.

add tag: session, 100, seconds; to whatever rule you want to capture
for the next 100seconds.

> format that packet and each subsequent packet until the connection is
> terminated.  If possible I'd also like it if each time the rule was
> triggers it would log the binary data to separate logfiles so that
> each file contained only one trace.  The second part is icing on the
> cake and it not essential.

No icing unless you want the prinatble type view.

Chris Green <cmg at ...671...>
A watched process never cores.

More information about the Snort-users mailing list