[Snort-users] simultaneous snort and tcpdump

Carl Gibbons cgibbons at ...6953...
Thu Sep 26 13:48:05 EDT 2002


Okay, here's an example of what I'd like:  for every snort alert,
don't just save (into mmdd at ...3818...) the packet that caused
the alert, but also save the ten preceeding and ten succeeding
packets between the same hosts.

This is why I am running tcpdump and snort simultaneously.  My
question remains.  Sorry, Jason, but your "RTFM" suggestion
to craft a clever snort rule doesn't help.  - Carl

On Sun, 22 Sep 2002, Jason wrote:

> create a rule that matches the other interesting traffic.
>
> look at the docs for creating rules on snort.org
>
> Carl Gibbons wrote:
>
> >Thanks, Bennett and Gary.
> >
> >I was needlessly complicating matters.  Perhaps I still am: one
> >reason I want simultaneous snort/tcpdump is that "snort -b" only
> >seems to record packets on which it finds a rule match, and I want
> >to record other traffic as well.  Perhaps there's an elegant,
> >efficient way to do so with a single snort process?  - Carl





More information about the Snort-users mailing list