[Snort-devel] 'only_stream' (and other alternate decode buffers) do not write out data to the logs

Joshua.Kinard at ...3108... Joshua.Kinard at ...3108...
Wed Oct 12 03:54:36 EDT 2011


-----Original Message-----
Sent: Saturday, October 08, 2011 4:08 PM
Subject: Re: [Snort-devel] 'only_stream' (and other alternate decode
buffers) do not write out data to the logs

> Not sure when logging of reassembled packets was removed -- maybe 2.2
> or even earlier.... Its been a good while, for sure.  ;)
>
> Snort is only designed to write out the original packets in pcap
> form -- and not the reassembled packet or arbitrary normalized data
> that was never actually seen on the wire.  This keeps the pcap log
> as a record of actual on-wire traffic.
>
> The unified2 extra data record type was created for the purpose of
> logging relevant data from the event so it would be useful to
analysts. 
>  For example, Snort can log the normalized HTTP URI, SMTP
> filenames, email recipients, etc.
>
> Almost sounds like using unified2 logging might better serve your
> purpose...

Okay, I'll give unified2 a try then.  Still might want to look into why
Snort scribbles out an empty pcap (24-byte header) when alerting on a
rule using base64_data/file_data or only_stream (probably only_frag,
too) and logging to pcap.  That might remove some confusion in the
future.

Cheers!,

--J




More information about the Snort-devel mailing list