[Snort-users] Save reassembled session if keyword is found.

Al Lewis (allewi) allewi at ...589...
Fri Aug 14 07:57:08 EDT 2015


Here is the post detection section on ‘session’ and the ‘tag’ keywords:  http://manual.snort.org/node34.html .

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: Hyun Yoo [mailto:easetheworld at ...11827...]
Sent: Friday, August 14, 2015 1:02 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Save reassembled session if keyword is found.

Hello. I'm a snort newbie.
I want to monitor email(smtp) packets
and if a keyword is found the whole reassembled session should be sent to other server.
At first I tried any any <> any 25 ( session:binary), it reassembled smtp sessions but I couldn't apply content:keyword.
Secondly, I tried (tag:session). I can use content:keyword but it is not reassembled and the packet before the keyword is not even saved.

I believe this can be done with snort. Anybody give me some hints?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150814/737ab1a2/attachment.html>

More information about the Snort-users mailing list