[Snort-users] Displaying few packets before a matched packet

carlopmart carlopmart at ...11827...
Fri Nov 18 11:05:57 EST 2011


On 11/18/2011 04:22 PM, Martin Holste wrote:
>> Hey everyone,
>> I'm new to snort and was wondering if this is possible. Suppose a packet is
>> matched by an alert rule, is it possible to make snort display few of the
>> preceding packets as well?
>
> Not really, which is one of the reasons people run things like
> daemonlogger.  We were just discussing alternatives last night with
> things like URL logging.  Generally speaking, you should have
> something doing general logging alongside Snort to provide context to
> the alerts.  For general contextual information without the overhead
> of full pcap, I recommend running Bro along with Snort.  It will
> generically log connections, URL's, SMTP, SMTP entities, do full file
> carving of HTTP/SMTP objects, etc.  That way when you get a Snort
> alert, you can grep for the offending IP in your Bro logs to see what
> it was up to.  There are many, many ways of doing this with other
> solutions, this is just one example.
>

That's what I am searching for along time. I really like to do this with 
bro but is is terrible difficult to configure. Do you have some sample 
Martin, for example to log smtp and http requests??


-- 
CL Martinez
carlopmart {at} gmail {d0t} com




More information about the Snort-users mailing list