[Snort-users] Save reassembled session if keyword is found.

Hyun Yoo easetheworld at ...11827...
Fri Aug 14 01:01:32 EDT 2015


Hello. I'm a snort newbie.
I want to monitor email(smtp) packets
and if a keyword is found the whole reassembled session should be sent to
other server.
At first I tried any any <> any 25 ( session:binary), it reassembled smtp
sessions but I couldn't apply content:keyword.
Secondly, I tried (tag:session). I can use content:keyword but it is not
reassembled and the packet before the keyword is not even saved.

I believe this can be done with snort. Anybody give me some hints?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150814/77f35677/attachment.html>


More information about the Snort-users mailing list