[Snort-users] Save reassembled session if keyword is found. 2

Hyun Yoo easetheworld at ...11827...
Tue Aug 25 18:34:56 EDT 2015


For email(smtp) stream analysis, i want whole session not pcap packets.
If sender is xxx, or message contains xxx,
i want to save the whole email text.


2015년 8월 26일 수요일, Joel Esler (jesler)<jesler at ...589...>님이 작성한 메시지:

> Why would you do this?  Just use Snort (or better yet, daemonlogger) to
> write the pcap traffic to disk.
>
>
> --
> *Joel Esler*
> Manager, Threat Intelligence Team & Open Source
> Talos Group
> http://www.talosintel.com
>
> On Aug 25, 2015, at 5:52 PM, Hyun Yoo <easetheworld at ...11827...
> <javascript:_e(%7B%7D,'cvml','easetheworld at ...11827...');>> wrote:
>
> Another question with 'session:binary'.
> To save all tcp stream, I used a rule
> "alert tcp any any <> any any (session:binary)"
> It seems worked except the reassembled result is partly duplicated. for
> example
>
> 220 ESMTP ready
> EHLO
> 250
> MAIL From:<abc at ...17292... <javascript:_e(%7B%7D,'cvml','abc at ...17292...');>>
> 421
> QUIT
> EHLO                    // duplicated
> MAIL From:<abc at ...17292... <javascript:_e(%7B%7D,'cvml','abc at ...17292...');>> //
> duplicated
>
> Has anyone used 'session:binary' and seen this issue?
> Is this the only way to save the whole session?
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> <javascript:_e(%7B%7D,'cvml','Snort-users at lists.sourceforge.net');>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150826/4035d620/attachment.html>


More information about the Snort-users mailing list