snort-users November 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: [Snort-users] session:printable question

[Snort-users] session:printable question

From: Taras Danko <gortaur_at_nospam>
Date: Thu Nov 12 2009 - 16:25:57 GMT
To: snort-users@lists.sourceforge.net


Hello guys.

I've got an assignment to dump all the application level data from all the telnet sessions destined to certain subnet in ASCII form using snort.
My custom rule to accomplish this is the following:

log tcp any any <> $SUBNET 23 (session:printable; sid:1000003;)

Rule by itself is ok. The bad thing is the filename hierarchy of the captured session which looks like:
/var/log/snort/<SRC_IP>/SESSION:<high_port>-<low-port>

With current schema Im unable to identify the IP of destination host of a session. Only the source. It makes the whole dumping a half useless
Does it possible to somehow add the dest_ip to the session filename or dirname or attach it to the session file in some other way?

I know about other ways and tools to acomlish the same thing but I have no choice and need to defeat the snort's session:printable at the moment :)

Thank your in advance. -- Regards, Taras Danko ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users