I did this several years ago, but when I switched to full packetcapture I did not have the need for catching pcap of traffic firing a rule.
You can do this with the tag option in Snort. If you want to know more, please read README.tag.
I will present you with a signature that will log the first 1000 bytes or 100 seconds (What ever comes first!) after the packet that triggered the event. Im looking for a SYN flag in a TCP session and I start my logging from there (0,packets means that there are no limits on amount of packets).
alert tcp 18.104.22.168 any <> $HOME_NET any (msg:”GL Log Packet Evil-IP 22.214.171.124 (gamelinux.org)”; flags:S; tag:session,1000,bytes,100,seconds,0,packets; classtype:trojan-activity; sid:201102011; rev:1;)
I use unified2 as output plugin for Snort (something that also Sourcefire 3D does IIRC), so I need to fetch the pcap from the unified log. Snort 2.9.0 and newer ships with a new tool that will help you here, u2boat. This will carve out the pcaps from the unified log:
# u2boat /var/log/snort/<unified.log.timestamp> /tmp/snort.pcap
From there, you can read the /tmp/snort.pcap with tcpdump or wireshark etc. or just fetch the evil-IP packets:
# tcpdump -r /tmp/snort.pcap -w /tmp/Evil-126.96.36.199-traffic.pcap 'host 188.8.131.52'
If you love it in console, you can read the pcap with tcpflow etc:
# tcpflow -c -r /tmp/Evil-184.108.40.206-traffic.pcap
I did could not seem to verify that the “0,packets” actually do work. I added the following line also to my snort.conf:
But again, not sure if it works.
I wanted to do some more testing before releasing this blog, but it has been sitting around for a while, so If I play more with it and have something new, Ill post a new post
BTW, turning you Sourcefire 3D into a packetcapture device is easy adding the rule as above, you can just click the “Download Packet(s)” Button in the Event Information/Packet Information view Use such a rule with care though…