Hello guys.
I'm missing some functionality in your applications: I'd like Snort to be able to send a SIGUSR1 or SIGUSR2 to one or many pid(s) when a malicious packet has been detected. At the same time I'd like to have a sniffer (or several of them) capturing data to a cyclic fifo RAM buffer (for instance 16MB big) where the oldest data get pushed out when new arrives. If the sniffer recieves a SIGUSR1 the content of the RAM-buffer is written to the harddisk. If a SIGUSR2 is recieved the buffer is written to the harddisk and the capture continue writing to disk instead of to the RAM-buffer. This way you have a snapshot of all the network activity in the vicinity of the malicious packet detected by snort. Is this possible? :-) ...maybe snort could implement this functionality without the need of an external sniffer? Regards: Martin Olsson - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
