[Snort-users] Save reassembled session if keyword is found.
easetheworld at ...11827...
Fri Aug 14 01:01:32 EDT 2015
Hello. I'm a snort newbie.
I want to monitor email(smtp) packets
and if a keyword is found the whole reassembled session should be sent to
At first I tried any any <> any 25 ( session:binary), it reassembled smtp
sessions but I couldn't apply content:keyword.
Secondly, I tried (tag:session). I can use content:keyword but it is not
reassembled and the packet before the keyword is not even saved.
I believe this can be done with snort. Anybody give me some hints?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users