[Snort-users] log single packet vs reassmbled stream

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Mon Oct 4 02:50:54 EDT 2004

--On 03 October 2004 20:39 -0700 Thomas Anderson <neo_ait at ...131...> wrote:

> If in a stream a packet got a alert then will the packet got logged or
> the stream got logged... or both of them get logged ??? If strem4
> preprocessor is enabled.....
> What i see is that only the alerted packet is logged.... Is there any
> option to enable the logging of the entire reassembled packet ?????

Assuiming you mean 'entire reassembled session', then what you're after is 
the tag keyword (note, though, that it cannot go back in time and include 
packets that were sent before the alert was generated).

> thanks in advance
> Thomas

Best Regards,
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9

More information about the Snort-users mailing list