[Snort-devel] 'only_stream' (and other alternate decode buffers) do not write out data to the logs

Joel Esler jesler at ...402...
Fri Oct 7 15:12:13 EDT 2011


On Oct 7, 2011, at 3:08 AM, <Joshua.Kinard at ...3108...> <Joshua.Kinard at ...3192...08...> wrote:

> 
> Hi snort-devel,
> 
> I think I've found another bug.  There have been times when I wanted to
> dump a Stream5-reassembled packet back out to the log files to inspect
> it in Wireshark, and when using 'flow:established,only_stream;', all I
> get out is a 24-byte file, which is just the pcap header, but no data.
> I later discovered the same is true when using other decode buffers,
> such as b64_decode_depth in the SMTP preprocessor and 'file_data;' in a
> rule -- the alerts write out a 24-byte file and nothing else.
> 
> Is there a solution/workaround for this?  Or where in the code can the
> function for writing out pcap data be found?

Joshua,

I'm not saying what you found isn't a bug, but I am not sure the way you are doing things will produce the results you are looking for.

Only_stream is a matching function.  Meaning, only match the contents of a rule if it's in the reassembled stream buffer.

If you are looking to LOG extra data, you want the "Tag" rule keyword.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire



More information about the Snort-devel mailing list