[Snort-users] Help

Matt Kettler mkettler at ...4108...
Tue Jan 21 09:04:10 EST 2003


No you can not reconstruct all that traffic from your snort logs unless all 
the tcp port 25 traffic generated alerts that caused the packets to be logged.

I suppose you could write a rule to cause all traffic from that user to 
port 25 to be logged by snort, but that's a silly thing to do.

Just use tcpdump and leave snort out of it.. this kind of 'log everything 
matching a simple IP/port combination" is what tcpdump was designed to do.

Snort is intended to sift through lots of traffic looking for more 
complicated things like strings and only log a small portion of the traffic 
which matches them. To use it as a tcpdump replacement is pretty silly.


At 12:00 PM 1/20/2003 -0500, Guru Cumarasamy wrote:
>Is it possible to re-construct TCP packets in snort? for example my 
>employer wants to know all smtp communication between an employee and an 
>outside user, can I go and re-construct all TCP port 25 traffic from the 
>snort log. I am running snort with the -b option.
>
>Thanks in advance





More information about the Snort-users mailing list