[Snort-users] log reassembled packet not only original packet

Joel Esler jesler at ...1935...
Wed Dec 16 09:26:11 EST 2009


On Wed, Dec 16, 2009 at 2:50 AM, Chun Chan <chun_chan at ...14432...> wrote:
>
> Hi
>
> I install snort and configured. I want to do logging all packets which tcp reassembled not only original packets that caused alarm. For example: this is aplication layer
>
> Packet no 1:    FOO trytrytry
> Packet no 2:   abcdfedgassd
>
> I assumed, packet1 and packet2 need reassemble  (tcp reassemble.)   I need dump to file with all reassembled packet content. not only first original packet. but snort only dump to file first packet "FOO trytrytry". I use stream5 preprocessor with flush_on_alert
>
> my configuration file is
> preprocessor stream5_global: track_tcp yes, track_udp no, track_icmp no , flush_on_alert
> preprocessor stream5_tcp: policy linux, ports both all
> preprocessor stream5_udp: ignore_any_rules
> alert tcp any any -> any any (content:"FOO"; msg: "sucess";)
>

What is your output configuration?  I think you can only dump
reassembled packets with unified output.



--
Joel Esler | 302-223-5974 | gtalk: jesler at ...1935...




More information about the Snort-users mailing list