[Snort-users] reassembling transmitted data
gimmiqwerty at ...125...
Tue Sep 10 11:22:03 EDT 2002
Hi, I'm quite newbie about snort and I have a problem when I log a mail and
I run my box with snort, mysql, apache, php genereally the last release of
actually i'm logging on a mysql db with only 2 simple rules like
log tcp any 110 > any any
log tcp any any > any 25
and snort.conf with stream4_reassemle: both, ports 25,110
no matter about text data: when I use the 'encoding=ascii' option, I can see
in the data field of the db the message transmitted in perfect plain text
and also the sender/receive accounts, with some quoted characters, but with
info still usable..
the problem is that I don't know how to reconstruct the entire file of a
non-text attachment as was when posted; there is a way in which I can
convert ascii payloads (after joining the single data field I suppose..) in
the exact attachment?
or better, logging in default binary there is a way in which i can
reassemble the message+attachment and convert this entity with
bin2-something in something exactly as was when sended?
I don't understand completely neither what I can do logging in tcpdump
format, also if seems to be a possible way to resolve my problem, nor if I
can anyway log on the mysql db using log_tcpdump
thank in advance for all explanations & tips
Chiacchiera con gli amici online, prova MSN Messenger:
More information about the Snort-users