[Snort-users] log single packet vs reassmbled stream
Alex Butcher, ISC/ISYS
Alex.Butcher at ...11254...
Tue Oct 5 00:48:21 EDT 2004
--On 04 October 2004 12:23 +0100 "Alex Butcher, ISC/ISYS"
<Alex.Butcher at ...11254...> wrote:
> --On 04 October 2004 03:57 -0700 Thomas Anderson <neo_ait at ...131...>
>> I know about the tag keyword..... Is there any other way so that the
>> entire session can be logged, if alert is generated in any of its
>> The tag keyword only log packets after the alert generated.. and that to
>> i have to specify the number of packets to log afterwards.. Actually I
>> want to log the content of the entire session when any of its packet is
> sguil can integrate snort with tcpdump, apparently. I've thought about
> doing something similar using flexresp, tethereal (in ring-log-file mode)
> and a shell script or similar.
Oh, and if you have real money to spend, then Niksun's
<http://www.niksun.com/> NetVCR might be handy. Never used it, but I have
had conversations with their engineers in the past.
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
More information about the Snort-users