[Snort-users] log reassembled packet not only original packet
chun_chan at ...14432...
Wed Dec 16 02:50:22 EST 2009
I install snort and configured. I want to do logging all packets which tcp reassembled not only original packets that caused alarm. For example: this is aplication layer
Packet no 1: FOO trytrytry
Packet no 2: abcdfedgassd
I assumed, packet1 and packet2 need reassemble (tcp reassemble.) I need dump to file with all reassembled packet content. not only first original packet. but snort only dump to file first packet "FOO trytrytry". I use stream5 preprocessor with flush_on_alert
my configuration file is
preprocessor stream5_global: track_tcp yes, track_udp no, track_icmp no , flush_on_alert
preprocessor stream5_tcp: policy linux, ports both all
preprocessor stream5_udp: ignore_any_rules
alert tcp any any -> any any (content:"FOO";
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users