[Snort-users] capturing a suspisous traffic stream

Stan Scalsky sscalsk at ...3339...
Mon Oct 22 18:34:06 EDT 2001


> Snort can mostly do this with tags and stream4.  Write a rule like this:
> alert tcp any any -> $HOME_NET 80   (content: "cmd.exe";  msg: "WEB
cmd.exe request"; tag: session, 300, seconds;)
> and it'll capture the next 300 seconds worth of this session

that is cool and just what I was looking to do also - how about in addition
to # of seconds maybe # of packets? say "tag: session, 50, packets;" to grab
up to the next 50 packets. or can i already do this elsewhere?

-= stan






More information about the Snort-users mailing list