[Snort-users] Logging Reassembled Packets

Jason security at ...5028...
Thu Mar 13 20:20:35 EDT 2008


snort is not intended to log full reassembled streams, it is intended to 
detect intrusion attempts and log the relevant data associated with 
those attempts. If you want full session logging you should use tcpdump.

Kamran Shafi wrote:
> I notice that there is a show_rebuilt_packets option in steam5_global
> configuration, which I have turned on but don't know if it is producing
> anything. I run snort on some traffic collected on a web/dns/mysql server
> using -r flag. The log shows that snort filters out the server's response
> and keeps only the inbound traffic - I am not sure if this behaviour is
> because of the stream 5 processor or else?
> 
> On Fri, Mar 14, 2008 at 12:56 AM, Joel Esler <joel.esler at ...1935...>
> wrote:
> 
>> Again, a visit to the readme's in the doc/ directory should help you.
>>  Look up "log_flushed_streams" in the stream4 readme.
>> Joel
>>
>>    On Mar 13, 2008, at 2:36 AM, Kamran Shafi wrote:
>>
>>   Hi All,
>>
>> Is there a way to log the reassembled (TCP/UDP/ICMP) sessions in Snort?
>>
>> --
>> Regards
>> Kam
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2008.
>>
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>>
>> --
>> Joel Esler  joel.esler at ...1935...
>>
>>
>>
>>
>>
> 
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list