[Snort-users] log reassembled packet not only original packet
jesler at ...1935...
Wed Dec 16 09:26:11 EST 2009
On Wed, Dec 16, 2009 at 2:50 AM, Chun Chan <chun_chan at ...14432...> wrote:
> I install snort and configured. I want to do logging all packets which tcp reassembled not only original packets that caused alarm. For example: this is aplication layer
> Packet no 1: FOO trytrytry
> Packet no 2: abcdfedgassd
> I assumed, packet1 and packet2 need reassemble (tcp reassemble.) I need dump to file with all reassembled packet content. not only first original packet. but snort only dump to file first packet "FOO trytrytry". I use stream5 preprocessor with flush_on_alert
> my configuration file is
> preprocessor stream5_global: track_tcp yes, track_udp no, track_icmp no , flush_on_alert
> preprocessor stream5_tcp: policy linux, ports both all
> preprocessor stream5_udp: ignore_any_rules
> alert tcp any any -> any any (content:"FOO"; msg: "sucess";)
What is your output configuration? I think you can only dump
reassembled packets with unified output.
Joel Esler | 302-223-5974 | gtalk: jesler at ...1935...
More information about the Snort-users