[Snort-devel] 'only_stream' (and other alternate decode buffers) do not write out data to the logs

Jason Brvenik jason.brvenik at ...402...
Fri Oct 7 22:17:57 EDT 2011


I'm sure one of the devs will know better but I want to say it has been
years.
On Oct 7, 2011 10:15 PM, <Joshua.Kinard at ...3108...> wrote:
> -----Original Message-----
> From: Jason Brvenik [mailto:jason.brvenik at ...402...]
> Sent: Friday, October 07, 2011 8:51 PM
> Subject: Re: [Snort-devel] 'only_stream' (and other alternate
> decode buffers) do not write out data to the logs
>
>> AFAIK psuedo packet logging is gone and has been for a while.
>> The only output method that supports this (differently mind
>> you) is unified2.
>>
>> If you log to unified2 it will log the event and the packet(s)
>> that made up the event. In your case these should be the
>> packets that created the reassembled pseudo packet.
>
> Interesting. Do you know of a particular date this might have happened
> around? I'd like to go dig into CVS and maybe re-integrate the code and
> try it out. Could've been a problem with it initially that forced the
> removal.
>
> I haven't played with unified2 that much. I typically just log to
> straight libpcap files and analyze them in WireShark.
>
>
> Thanks!,
>
> --J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20111007/01bf9ae8/attachment.html>


More information about the Snort-devel mailing list