[Snort-users] log reassembled packet not only original packet

Chun Chan chun_chan at ...14432...
Wed Dec 16 02:50:22 EST 2009


I install snort and configured. I want to do logging all packets which tcp reassembled not only original packets that caused alarm. For example: this is aplication layer

Packet no 1:    FOO trytrytry    
Packet no 2:   abcdfedgassd

I assumed, packet1 and packet2 need reassemble  (tcp reassemble.)   I need dump to file with all reassembled packet content. not only first original packet. but snort only dump to file first packet "FOO trytrytry". I use stream5 preprocessor with flush_on_alert

my configuration file is
preprocessor stream5_global: track_tcp yes, track_udp no, track_icmp no , flush_on_alert
preprocessor stream5_tcp: policy linux, ports both all
preprocessor stream5_udp: ignore_any_rules
alert tcp any any -> any any (content:"FOO";
msg: "sucess";)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091215/88bd17c1/attachment.html>

More information about the Snort-users mailing list