[Snort-users] Selective pcaps on demand?
jeff-kell at ...6282...
Fri Aug 19 08:21:09 EDT 2005
I've been running snort for quite some time, snort+snortsam+mysql+base. I am only using the database output plugin, and things have been fine. But...
Is there a way to get pcap [tcpdump] captures of a specific signature?
I tried using the rule "logto:" but that doesn't seem to work, never saw a file created anywhere (and yes, the rule fired, got the msg).
I tried setting up a new logtype:
> ruletype rogue
> type log
> output log_tcpdump: rogues
And using "rogue" rather than "alert" in the rule, this eventually sort-of worked, it created a logfile called "snort.[a long number]" which started with a dump of a matching packet, but then also had dumps of every other alert as well.
What am I missing here? Can't you do this from a single snort instance?
More information about the Snort-users