[Snort-users] log_flushed_streams with Stream5

Joel Esler eslerj at ...11827...
Tue Mar 17 20:05:51 EDT 2009


Take a look at the readme for stream5 in the tarball of Snort.  It's located
in the /doc directory.
Paste:

- Preprocessor name: stream5_global
- Options:
    track_tcp <yes|no>      - Track sessions for TCP.  The default is "yes".
    max_tcp <number>        - Max concurrent sessions for TCP.  The default
                              is "256000", maximum is "1052672", minimum is
"1".
    memcap <bytes>          - Memcap for TCP packet storage.  The default
                              is "8388608" (8MB), maximum is "1073741824"
(1GB),
                              minimum is "32768" (32KB).
    track_udp <yes|no>      - Track sessions for UDP.  The default is "yes".
    max_udp <number>        - Max concurrent sessions for UDP.  The default
                              is "128000", maximum is "1052672", minimum is
"1".
    track_icmp <yes|no>     - Track sessions for ICMP.  The default is
"yes".
    max_icmp <number>       - Max concurrent sessions for ICMP.  The default
                              is "64000", maximum is "1052672", minimum is
"1".
*    flush_on_alert          - Backwards compatibility.  Flush a TCP stream*
*                              when an alert is generated on that stream.
 The*
*                              default is set to off.*
    show_rebuilt_packets    - Print/display packet after rebuilt (for
                              debugging).  The default is set to off.
    prune_log_max <bytes>   - Print a message when a session terminates that
                              was consuming more than the specified number
of
                              bytes.  The default is "1048576" (1MB),
minimum
                              is "0" (unlimited), maximum is not bounded,
other
                              than by the memcap.


Thanks.

J

On Sat, Mar 7, 2009 at 11:18 AM, phez asap <phez.asap at ...11827...> wrote:

> Hi all
>
> I was using the "log_flushed_streams" option with stream4/flow to do a pcap
> dump of streams that triggered a rule. I am trying to switch over to using
> the Stream5 preprocessor but it does not seem to support this. It is very
> useful and I have to guess it is still possible to do this. Is there a new
> way that this is being set up now when using stream5?
>
> I tried posting this to the list before but it looked like it did not work.
> Sorry if this is a double post.
>
> =Mike=
>
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco,
> CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the
> Enterprise
> -Strategies to boost innovation and cut costs with open source
> participation
> -Receive a $600 discount off the registration fee with the source code:
> SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Joel Esler
T: 302-223-5974 (-) Gtalk: jesler at ...1935...
[m]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090317/9ed5f518/attachment.html>


More information about the Snort-users mailing list