mkettler at ...4108...
Tue Jan 21 09:04:10 EST 2003
No you can not reconstruct all that traffic from your snort logs unless all
the tcp port 25 traffic generated alerts that caused the packets to be logged.
I suppose you could write a rule to cause all traffic from that user to
port 25 to be logged by snort, but that's a silly thing to do.
Just use tcpdump and leave snort out of it.. this kind of 'log everything
matching a simple IP/port combination" is what tcpdump was designed to do.
Snort is intended to sift through lots of traffic looking for more
complicated things like strings and only log a small portion of the traffic
which matches them. To use it as a tcpdump replacement is pretty silly.
At 12:00 PM 1/20/2003 -0500, Guru Cumarasamy wrote:
>Is it possible to re-construct TCP packets in snort? for example my
>employer wants to know all smtp communication between an employee and an
>outside user, can I go and re-construct all TCP port 25 traffic from the
>snort log. I am running snort with the -b option.
>Thanks in advance
More information about the Snort-users