[Snort-users] log single packet vs reassmbled stream

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Tue Oct 5 00:48:21 EDT 2004


--On 04 October 2004 12:23 +0100 "Alex Butcher, ISC/ISYS" 
<Alex.Butcher at ...11254...> wrote:

>
>
> --On 04 October 2004 03:57 -0700 Thomas Anderson <neo_ait at ...131...>
> wrote:
>
>> I know about the tag keyword..... Is there any other way so that the
>> entire session can be logged, if alert is generated in any of its
>> packet....
>>
>> The tag keyword only log packets after the alert generated.. and that to
>> i have to specify the number of packets to log afterwards.. Actually I
>> want to log the content of the entire session when any of its packet is
>> alerted......
>
> sguil can integrate snort with tcpdump, apparently. I've thought about
> doing something similar using flexresp, tethereal (in ring-log-file mode)
> and a shell script or similar.

Oh, and if you have real money to spend, then Niksun's 
<http://www.niksun.com/> NetVCR might be handy. Never used it, but I have 
had conversations with their engineers in the past.

>> Regards
>> Thomas

Best Regards,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9






More information about the Snort-users mailing list