[Snort-users] How to log an alert plus x number of packets?

Rich Adamson radamson at ...2127...
Sat Oct 5 03:36:03 EDT 2002


I'm looking for a way to cause snort to log "x" number of packets from
a particular device "after" an alert has been activated. Does that
capability exist, and if so, how would I configure it?

Simple Example: if an EXTERNAL_NET device requests a DNS Zone Transfer,
snort will detect and alert. However, the alert only suggests the attempt
was made and offers no clue as to whether the zone transfer request was
actually honored. If "x" number of sequential packets were logged to/from
this device after the alert, one could easily determine whether it was a
false positive.

(I understand that another specific rule could be written to handle the
above zone transfer example, but there are lots of similar examples
where saving a few follow-on packets would be helpful.)






More information about the Snort-users mailing list