[Snort-users] Save reassembled session if keyword is found.
Al Lewis (allewi)
allewi at ...589...
Fri Aug 14 07:57:08 EDT 2015
Here is the post detection section on ‘session’ and the ‘tag’ keywords: http://manual.snort.org/node34.html .
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...
From: Hyun Yoo [mailto:easetheworld at ...11827...]
Sent: Friday, August 14, 2015 1:02 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Save reassembled session if keyword is found.
Hello. I'm a snort newbie.
I want to monitor email(smtp) packets
and if a keyword is found the whole reassembled session should be sent to other server.
At first I tried any any <> any 25 ( session:binary), it reassembled smtp sessions but I couldn't apply content:keyword.
Secondly, I tried (tag:session). I can use content:keyword but it is not reassembled and the packet before the keyword is not even saved.
I believe this can be done with snort. Anybody give me some hints?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users