[Snort-users] Selective pcaps on demand?

Jeff Kell jeff-kell at ...6282...
Fri Aug 19 08:21:09 EDT 2005


I've been running snort for quite some time, snort+snortsam+mysql+base.  I am only using the database output plugin, and things have been fine.  But...

Is there a way to get pcap [tcpdump] captures of a specific signature? 

I tried using the rule "logto:" but that doesn't seem to work, never saw a file created anywhere (and yes, the rule fired, got the msg).

I tried setting up a new logtype:

> ruletype rogue
> {
>    type log
>    output log_tcpdump: rogues
> }

And using "rogue" rather than "alert" in the rule, this eventually sort-of worked, it created a logfile called "snort.[a long number]" which started with a dump of a matching packet, but then also had dumps of every other alert as well.

What am I missing here?  Can't you do this from a single snort instance?

Jeff





More information about the Snort-users mailing list