[Snort-devel] 'only_stream' (and other alternate decode buffers) do not write out data to the logs

Joel Esler jesler at ...402...
Fri Oct 7 15:12:13 EDT 2011

On Oct 7, 2011, at 3:08 AM, <Joshua.Kinard at ...3108...> <Joshua.Kinard at ...3192...08...> wrote:

> Hi snort-devel,
> I think I've found another bug.  There have been times when I wanted to
> dump a Stream5-reassembled packet back out to the log files to inspect
> it in Wireshark, and when using 'flow:established,only_stream;', all I
> get out is a 24-byte file, which is just the pcap header, but no data.
> I later discovered the same is true when using other decode buffers,
> such as b64_decode_depth in the SMTP preprocessor and 'file_data;' in a
> rule -- the alerts write out a 24-byte file and nothing else.
> Is there a solution/workaround for this?  Or where in the code can the
> function for writing out pcap data be found?


I'm not saying what you found isn't a bug, but I am not sure the way you are doing things will produce the results you are looking for.

Only_stream is a matching function.  Meaning, only match the contents of a rule if it's in the reassembled stream buffer.

If you are looking to LOG extra data, you want the "Tag" rule keyword.

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

More information about the Snort-devel mailing list