[Snort-devel] 'only_stream' (and other alternate decode buffers) do not write out data to the logs

Joel Esler jesler at ...402...
Sat Oct 8 17:22:59 EDT 2011


You should log to unified2, much more data is put out in that format than in pcap. 

--
Joel Esler 

On Oct 8, 2011, at 16:07, Steven Sturges <ssturges at ...402...> wrote:

>> I haven't played with unified2 that much.  I typically just log to
>> straight libpcap files and analyze them in WireShark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6362 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20111008/f3b41207/attachment.bin>


More information about the Snort-devel mailing list