[Snort-users] tag keyword for TCP sessions
emmanuel.dardaine at ...8313...
Thu Apr 24 00:48:06 EDT 2003
Let me first explain what I'm aiming to do with my Snort installation:
- I would like to intercept email on particular keywords (say email address
- once the email address has been identified, I would like to capture the
remaining messages (if spread over several frames) until the end.
In order to achieve this, I used the tag option, but without success. Even
if I use the direction operator (say tag:host,300,packets,src), I get all
the TCP segments in both directions. Here the rule I use:
log tcp any any -> any 25 (content:"email at ...8998..."; content:!"FROM\:";
content:!"RCPT TO\:"; tag:host,300,packets,src; msg:"Intercepted email";)
Shall I use the alert keyword, instead of log? Who had similar experience?
Any hint about this kind of logging?
Thanks for your help,
More information about the Snort-users