[Snort-users] session:printable question

Taras Danko gortaur at ...11827...
Thu Nov 12 11:25:57 EST 2009


Hello guys.

I've got an assignment to dump all the application level data from all
the telnet sessions destined to certain subnet in ASCII form using
snort.
My custom rule to accomplish this is the following:

log tcp any any <> $SUBNET 23 (session:printable; sid:1000003;)

Rule by itself is ok. The bad thing is the filename hierarchy of the
captured session which looks like:
/var/log/snort/<SRC_IP>/SESSION:<high_port>-<low-port>

With current schema Im unable to identify the IP of destination host
of a session. Only the source. It makes the whole dumping a half
useless
Does it possible to somehow add the dest_ip to the session filename or
dirname or attach it to the session file in some other way?

I know about other ways and tools to acomlish the same thing but I
have no choice and need to defeat the snort's session:printable at the
moment :)

Thank your in advance.
-- 
Regards,
Taras Danko




More information about the Snort-users mailing list