[Snort-users] Alerts and packet capture - MYSQL
Snow Jacob C KPWA
JacobSC at ...160...
Mon May 19 15:14:04 EDT 2003
I am using snort 2.0 to capture data based on a custom rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET :1024 (msg:"Syn
and logging this information to a MySQL database. I then want to look
through this data to see if a synack is sent back (aka a complete
handshake/connection). I am capturing additional packets as well. When I
try and view the additional packets in snort I am only getting the packet
that triggers the rule not the extra packets that were captured. Is there a
way to view this information with acid or am I stuck doing it by hand.
Also is there a way to right the rule such that it won't trigger if I don't
get a synack back? Does ACID already do this and I am missing something? A
little advice from the snort guru's and everyone else would be nice :-).
jacobsc at ...160... <mailto:jacobsc at ...160...>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users