[Snort-devel] über-packet

elof at ...969... elof at ...969...
Fri Mar 4 06:16:08 EST 2011


Many years ago, snort logged stream-matches as an über-packet, i.e. a 
packet far bigger than the normal max 1500 bytes frame size.

The size of such über-packet events was usually 64kB.

Q1: Is this behavior completely decapricated?

I guess it is, and that it is replaced with a function that dump the 
individual packets that are part of the stream instead.
Q2: Correct?

Q3: Is there any way to configure snort to do it the old way? I.e. log one 
(1) large über-packet with a copy of the whole stream-buffer instead of e.g. 
14 small packets?

(nowdays I'm using unified2)

More information about the Snort-devel mailing list