[Snort-users] simultaneous snort and tcpdump

Gary Flynn flynngn at ...6811...
Thu Sep 26 14:19:40 EDT 2002


Carl Gibbons wrote:
> 
> Okay, here's an example of what I'd like:  for every snort alert,
> don't just save (into mmdd at ...3818...) the packet that caused
> the alert, but also save the ten preceeding and ten succeeding
> packets between the same hosts.

I haven't used them yet but the activate/dynamic and tag rules are 
supposed to let you log packets AFTER a signature match occurs.

You'll probably have to roll your own solution with some type
of rolling buffer for those preceding packets though :)

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe




More information about the Snort-users mailing list