[Snort-users] log single packet vs reassmbled stream

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Mon Oct 4 04:29:00 EDT 2004

--On 04 October 2004 03:57 -0700 Thomas Anderson <neo_ait at ...131...> wrote:

> I know about the tag keyword..... Is there any other way so that the
> entire session can be logged, if alert is generated in any of its
> packet....
> The tag keyword only log packets after the alert generated.. and that to
> i have to specify the number of packets to log afterwards.. Actually I
> want to log the content of the entire session when any of its packet is
> alerted......

sguil can integrate snort with tcpdump, apparently. I've thought about 
doing something similar using flexresp, tethereal (in ring-log-file mode) 
and a shell script or similar.

> Regards
> Thomas

Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9

More information about the Snort-users mailing list