[Snort-users] capturing a suspisous traffic stream
sscalsk at ...3339...
Mon Oct 22 18:34:06 EDT 2001
> Snort can mostly do this with tags and stream4. Write a rule like this:
> alert tcp any any -> $HOME_NET 80 (content: "cmd.exe"; msg: "WEB
cmd.exe request"; tag: session, 300, seconds;)
> and it'll capture the next 300 seconds worth of this session
that is cool and just what I was looking to do also - how about in addition
to # of seconds maybe # of packets? say "tag: session, 50, packets;" to grab
up to the next 50 packets. or can i already do this elsewhere?
More information about the Snort-users