[Snort-devel] 'only_stream' (and other alternate decode buffers) do not write out data to the logs

Joshua.Kinard at ...3108... Joshua.Kinard at ...3108...
Fri Oct 7 22:15:34 EDT 2011


-----Original Message-----
From: Jason Brvenik [mailto:jason.brvenik at ...402...] 
Sent: Friday, October 07, 2011 8:51 PM
Subject: Re: [Snort-devel] 'only_stream' (and other alternate
         decode buffers) do not write out data to the logs

> AFAIK psuedo packet logging is gone and has been for a while.
> The only output method that supports this (differently mind
> you) is unified2.
>
> If you log to unified2 it will log the event and the packet(s)
> that made up the event. In your case these should be the
> packets that created the reassembled pseudo packet. 

Interesting.  Do you know of a particular date this might have happened
around?  I'd like to go dig into CVS and maybe re-integrate the code and
try it out.  Could've been a problem with it initially that forced the
removal.

I haven't played with unified2 that much.  I typically just log to
straight libpcap files and analyze them in WireShark.


Thanks!,

--J




More information about the Snort-devel mailing list