You could just use Snort's tagging capability to log all traffic to/from a
specific host if it sets off a rule, how about that?
-Marty
On 3/13/02 7:03 AM, "Martin Olsson" <[EMAIL PROTECTED]> wrote:
>
> Hello guys.
>
> I'm missing some functionality in your applications:
>
> I'd like Snort to be able to send a SIGUSR1 or SIGUSR2 to one or many
> pid(s) when a malicious packet has been detected.
>
> At the same time I'd like to have a sniffer (or several of them) capturing
> data to a cyclic fifo RAM buffer (for instance 16MB big) where the oldest
> data get pushed out when new arrives. If the sniffer recieves a SIGUSR1 the
> content of the RAM-buffer is written to the harddisk. If a SIGUSR2 is
> recieved the buffer is written to the harddisk and the capture continue
> writing to disk instead of to the RAM-buffer.
>
> This way you have a snapshot of all the network activity in the vicinity
> of the malicious packet detected by snort.
>
> Is this possible? :-)
>
> ...maybe snort could implement this functionality without the need of an
> external sniffer?
>
> Regards:
> Martin Olsson
>
>
--
Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
[EMAIL PROTECTED] - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
