[Snort-users] Stream/Packet Capture with Snort

Marc Norton mnorton at ...1935...
Wed May 11 08:46:50 EDT 2005

You cannot capture packets prior to the event packet, usually.  The 
exception is if the session data is being reassembled.  If a specific 
stream is being saved for reassembly and an event packet comes along, 
all of the saved packets are logged.  Otherwise, snort does not buffer 
up session data as would be needed to log packets prior to an event 
generating packet. Once a packet causes an event you can use event 
tagging to log the rest of the session.

Paul Melson wrote:

>I'm using one of my Snort sensors (v2.3.2 w/ flexresp) to monitor, among
>other things, outbound e-mail traffic.  Right now I am logging to a MySQL
>database and can view the offending packet data on a per-alert basis.  In
>the case of e-mail traffic, packet captures of lengthy messages (say those
>with MIME attachments) don't always include the message headers.  
>I have been reading up on stream4 and stream4_reassemble, hoping that I can
>force Snort to match on (and thus log) the entire "client" side conversation
>to the database, but I'm not having any luck.  Here are the preprocessor
>lines from my snort.conf file: 
>preprocessor stream4: enforce_state disable_evasion_alerts memcap 67108864
>preprocessor stream4_reassemble: clientonly, ports 25
>Unfortunately, I still only get the packet with the offending string in the
>database.  Am I barking up the wrong tree here?
>This SF.Net email is sponsored by: NEC IT Guy Games.
>Get your fingers limbered up and give it your best shot. 4 great events, 4
>opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
>win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list