[Snort-users] simultaneous snort and tcpdump
flynngn at ...6811...
Thu Sep 26 14:19:40 EDT 2002
Carl Gibbons wrote:
> Okay, here's an example of what I'd like: for every snort alert,
> don't just save (into mmdd at ...3818...) the packet that caused
> the alert, but also save the ten preceeding and ten succeeding
> packets between the same hosts.
I haven't used them yet but the activate/dynamic and tag rules are
supposed to let you log packets AFTER a signature match occurs.
You'll probably have to roll your own solution with some type
of rolling buffer for those preceding packets though :)
Security Engineer - Technical Services
James Madison University
More information about the Snort-users