[Snort-users] How to log an alert plus x number of packets?
michael.boman at ...4162...
Sat Oct 5 05:38:02 EDT 2002
-----BEGIN PGP SIGNED MESSAGE-----
On Saturday 05 October 2002 19:21, Rich Adamson wrote:
> I'm looking for a way to cause snort to log "x" number of packets from
> a particular device "after" an alert has been activated. Does that
> capability exist, and if so, how would I configure it?
Yes, it exists and it is called tag'ing. It's availble by default (acctually,
the only way to remove it would be changing the source code and re-compile)
and is configured using the 'tag' keyword. See:
http://www.snort.org/docs/writing_rules/chap2.html#tth_chAp2 paragraph 2.3.31
Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the Snort-users