[Snort-devel] 'only_stream' (and other alternate decode buffers) do not write out data to the logs

Jason Brvenik jason.brvenik at ...402...
Fri Oct 7 20:50:35 EDT 2011


AFAIK psuedo packet logging is gone and has been for a while. The only
output method that supports this (differently mind you) is unified2.

If you log to unified2 it will log the event and the packet(s) that made up
the event. In your case these should be the packets that created the
reassembled pseudo packet.
On Oct 7, 2011 8:30 PM, <Joshua.Kinard at ...3108...> wrote:
> -----Original Message-----
> From: Joel Esler [mailto:jesler at ...402...]
> Sent: Friday, October 07, 2011 3:12 PM
> Subject: Re: [Snort-devel] 'only_stream' (and other alternate decode
> buffers) do not write out data to the logs
>
>> Joshua,
>>
>> I'm not saying what you found isn't a bug, but I am not sure the way
> you are doing things will produce the results you are looking for.
>>
>> Only_stream is a matching function. Meaning, only match the contents
> of a rule if it's in the reassembled stream buffer.
>>
>> If you are looking to LOG extra data, you want the "Tag" rule keyword.
>
> This is why I am seeking clarity... If Snort ISN'T supposed to write
> out the matching buffer to a pcap file, then the bug is that it writes
> out an empty pcap file. Although, I don't see why it couldn't write out
> a pcap file containing the contents of the reassembled Stream5 (or even
> Frag3) pseudo-packet, or the buffer pointed at by file_data,
> base64_data, etc. WireShark might make a fuss over it, but it still
> might prove useful to have.
>
> Is there a spot in the source code I can go take a look? I've been more
> into the detection-plugins stuff and haven't looked at the output
> plugins or DAQ too much. If I start at the function that actually
> writes the pcap file out to disk, I can backtrace from there and see
> what causes this.
>
> Thanks!,
>
> --J
>
>
------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2dcopy2
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20111007/d85fed7b/attachment.html>


More information about the Snort-devel mailing list