[Snort-users] How to log an alert plus x number of packets?

Michael Boman michael.boman at ...4162...
Sat Oct 5 05:38:02 EDT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday 05 October 2002 19:21, Rich Adamson wrote:
> I'm looking for a way to cause snort to log "x" number of packets from
> a particular device "after" an alert has been activated. Does that
> capability exist, and if so, how would I configure it?

Yes, it exists and it is called tag'ing. It's availble by default (acctually, 
the only way to remove it would be changing the source code and re-compile) 
and is configured using the 'tag' keyword. See:

http://www.snort.org/docs/writing_rules/chap2.html#tth_chAp2 paragraph 2.3.31

Best regards
 Michael Boman

- -- 
Michael Boman
Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd)
http://www.securecirt.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9ntzlds5fQJiraJwRAgh5AJ9t3QLof8XHzM2cPUudylsoQoWhJgCglg/c
zrL8zQyzdh5es8Cu7E00t58=
=Kjaa
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list