[Snort-users] Packet Capture

Al Lewis (allewi) allewi at cisco.com
Thu Jun 29 16:30:14 EDT 2017


Or the tagging feature:

See the README.tag file.

Taken from the file:

Introduction
------------
Tagging packets is a way to continue logging packets from a session or host
that generated an event in Snort.  When an event is generated based on a rule
that contains a tag option, information such as the IPs and ports involved, the
type of tagging decision that should be made (by session or host), for how long
to tag packets (the number of packets, seconds and/or bytes), the event id of
the packet that generated the alert (to be included in the logging information
with each tagged packet), etc. are saved into a data structure so that
subsequent packets can be checked against this information and a decision can
be made whether or not to tag/log the packet.  Tagged traffic is logged to
allow analysis of response codes and post-attack traffic.  Tag alerts will be
sent to the same output plugins as the original alert, but it is the
responsibility of the output plugin to properly handle these special alerts.
Currently, the database output plugin does not properly handle tag alerts.

Snort will only check to see whether or not it should tag a packet if that
packet did not generate an event.  An exception to this is if the event was
based on a PASS rule and that rule does not contain a tag option, that packet
will be checked.



Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at cisco.com<mailto:allewi at cisco.com>

From: allewi <allewi at cisco.com<mailto:allewi at cisco.com>>
Date: Thursday, June 29, 2017 at 3:39 PM
To: Justin Pederson <jpedersm at gmail.com<mailto:jpedersm at gmail.com>>, "snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>" <snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>>
Subject: Re: [Snort-users] Packet Capture

Check out the session feature:

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node34.html#SECTION00472000000000000000


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at cisco.com<mailto:allewi at cisco.com>

From: Snort-users <snort-users-bounces at lists.snort.org<mailto:snort-users-bounces at lists.snort.org>> on behalf of Justin Pederson via Snort-users <snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>>
Reply-To: Justin Pederson <jpedersm at gmail.com<mailto:jpedersm at gmail.com>>
Date: Thursday, June 29, 2017 at 3:08 PM
To: "snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>" <snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>>
Subject: [Snort-users] Packet Capture

Is there a way with snort to start a full pcap on an interface for the entire interface or specific IP based on an alert from the IDS?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170629/cd822734/attachment.html>


More information about the Snort-users mailing list