You want to capture all the traffic from a specific TCP session.
Use the session option in a rule.
For example, to capture only printable characters:
The printable modifier outputs all the printable text from a session. This is an incredibly useful option for a plain-text session such as FTP or Telnet. It allows you to view the content of an entire session. If the protocol is a little more complex, use the all modifier to output all the data from the session.
For example, the previous rule produces the following output in the log SESSION:
&& !"'#P 38400,38400#frodo:0'DISPLAYfrodo:0XTERMsimon^Mpassword^m
This shows all the Telnet sessions from the client to the server, with the username and password obvious in clear text. If you replace -> with <> to get both sides of the conversation, it becomes a little clearer.
alert tcp any any <> any 23 ( msg: "Telnet"; session: printable;)
This gives the following :
&& !"'# #'&&!" #'P 38400,38400#frodo:0'DISPLAYfrodo:0XTERMFedora Core release 2 (Tettnang) Kernel 2.6.5-1.358 on an i686 login: ssiimmoonn^M Password: password^M Last login: Fri Jul 2 12:58:49 from 192.168.0.8 ]0;simon@blackbox:~[simon@blackbox simon]$
which makes a little more sense, except for the doubled up letters when the letter is both sent from and returned to the Telnet client.
Snort Users Manual
Killing a Specific Session
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance