[Snort-users] Displaying few packets before a matched packet

Martin Holste mcholste at ...11827...
Fri Nov 18 10:22:30 EST 2011


> Hey everyone,
> I'm new to snort and was wondering if this is possible. Suppose a packet is
> matched by an alert rule, is it possible to make snort display few of the
> preceding packets as well?

Not really, which is one of the reasons people run things like
daemonlogger.  We were just discussing alternatives last night with
things like URL logging.  Generally speaking, you should have
something doing general logging alongside Snort to provide context to
the alerts.  For general contextual information without the overhead
of full pcap, I recommend running Bro along with Snort.  It will
generically log connections, URL's, SMTP, SMTP entities, do full file
carving of HTTP/SMTP objects, etc.  That way when you get a Snort
alert, you can grep for the offending IP in your Bro logs to see what
it was up to.  There are many, many ways of doing this with other
solutions, this is just one example.




More information about the Snort-users mailing list