[Snort-sigs] logging session using tagging
snort-rules at ...1343...
Tue Apr 29 06:53:06 EDT 2003
On Tue, 2003-04-29 at 15:43, Erek Adams wrote:
> And I'll bet that you're just using default options on stream4_reassemble.
> :) Have a look a few lines down in the .conf and you'll see this:
> # both - reassemble both sides of a session
> There ya go.
that was what I thought ... so my config looks like this:
# tcp stream reassembly directive
# no arguments loads the default configuration
# Only reassemble the client,
# Only reassemble the default list of ports (See below),
# Give alerts for "bad" streams
# Available options (comma delimited):
# clientonly - reassemble traffic for the client side of a connection...
# serveronly - reassemble traffic for the server side of a connection...
# both - reassemble both sides of a session
# noalerts - turn off alerts from the stream reassembly stage of stream4
# ports [list] - use the space separated list of ports in [list], "all"
# will turn on reassembly for all ports, "default" will turn
# on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111
# and 513
preprocessor stream4_reassemble: both, ports all
More information about the Snort-sigs