[Snort-users] reassembling transmitted data

gimmi gionnini gimmiqwerty at ...125...
Tue Sep 10 11:22:03 EDT 2002

Hi, I'm quite newbie about snort and I have a problem when I log a mail and 
his attachment.
I run my box with snort, mysql, apache, php genereally the last release of 
actually i'm logging on a mysql db with only 2 simple rules like

log tcp any 110 > any any
log tcp any any > any 25

and snort.conf with stream4_reassemle: both, ports 25,110
no matter about text data: when I use the 'encoding=ascii' option, I can see 
in the data field of the db the message transmitted in perfect plain text 
and also the sender/receive accounts, with some quoted characters, but with 
info still usable..
the problem is that I don't know how to reconstruct the entire file of a 
non-text attachment as was when posted; there is a way in which I can 
convert ascii payloads (after joining the single data field I suppose..) in 
the exact attachment?
or better, logging in default binary there is a way in which i can 
reassemble the message+attachment and convert this entity with 
bin2-something in something exactly as was when sended?
I don't understand completely neither what I can do logging in tcpdump 
format, also if seems to be a possible way to resolve my problem, nor if I 
can anyway log on the mysql db using log_tcpdump
thank in advance for all explanations & tips

Chiacchiera con gli amici online, prova MSN Messenger: 

More information about the Snort-users mailing list