[Snort-devel] 'only_stream' (and other alternate decode buffers) do not write out data to the logs

Steven Sturges ssturges at ...402...
Sat Oct 8 16:07:57 EDT 2011


Not sure when logging of reassembled packets was removed -- maybe 2.2
or even earlier.... Its been a good while, for sure.  ;)

Snort is only designed to write out the original packets in pcap
form -- and not the reassembled packet or arbitrary normalized data
that was never actually seen on the wire.  This keeps the pcap log
as a record of actual on-wire traffic.

The unified2 extra data record type was created for the purpose of
logging relevant data from the event so it would be useful to analysts. 
  For example, Snort can log the normalized HTTP URI, SMTP
filenames, email recipients, etc.

Almost sounds like using unified2 logging might better serve your
purpose...

Cheers
-steve


On 10/7/11 10:15 PM, Joshua.Kinard at ...3108... wrote:
> -----Original Message-----
> From: Jason Brvenik [mailto:jason.brvenik at ...402...]
> Sent: Friday, October 07, 2011 8:51 PM
> Subject: Re: [Snort-devel] 'only_stream' (and other alternate
>           decode buffers) do not write out data to the logs
>
>> AFAIK psuedo packet logging is gone and has been for a while.
>> The only output method that supports this (differently mind
>> you) is unified2.
>>
>> If you log to unified2 it will log the event and the packet(s)
>> that made up the event. In your case these should be the
>> packets that created the reassembled pseudo packet.
>
> Interesting.  Do you know of a particular date this might have happened
> around?  I'd like to go dig into CVS and maybe re-integrate the code and
> try it out.  Could've been a problem with it initially that forced the
> removal.
>
> I haven't played with unified2 that much.  I typically just log to
> straight libpcap files and analyze them in WireShark.
>
>
> Thanks!,
>
> --J
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2dcopy2
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>




More information about the Snort-devel mailing list