[Snort-users] Displaying few packets before a matched packet

carlopmart carlopmart at ...11827...
Fri Nov 18 11:05:57 EST 2011

On 11/18/2011 04:22 PM, Martin Holste wrote:
>> Hey everyone,
>> I'm new to snort and was wondering if this is possible. Suppose a packet is
>> matched by an alert rule, is it possible to make snort display few of the
>> preceding packets as well?
> Not really, which is one of the reasons people run things like
> daemonlogger.  We were just discussing alternatives last night with
> things like URL logging.  Generally speaking, you should have
> something doing general logging alongside Snort to provide context to
> the alerts.  For general contextual information without the overhead
> of full pcap, I recommend running Bro along with Snort.  It will
> generically log connections, URL's, SMTP, SMTP entities, do full file
> carving of HTTP/SMTP objects, etc.  That way when you get a Snort
> alert, you can grep for the offending IP in your Bro logs to see what
> it was up to.  There are many, many ways of doing this with other
> solutions, this is just one example.

That's what I am searching for along time. I really like to do this with 
bro but is is terrible difficult to configure. Do you have some sample 
Martin, for example to log smtp and http requests??

CL Martinez
carlopmart {at} gmail {d0t} com

