[Snort-users] HTTP reassembly problem - Snort

Mateusz Pigulski m.pigulski at ...11827...
Tue Jun 17 17:14:59 EDT 2014

Hi experts!!!

I am new user in mailing list and also new in snort, so firstly I want say
I have configured Snort with daq 2.0.2 and pf_ring 5.6.1. I want
use snort to capture HTTP POST which are forwarded to my system. I have
problem with configuration the output to store the reassembled packets.
When size of HTTP POST is larger then 1500, I can see in my unified2 file
that every tcp segemnt is stored as event and packet, so if HTTP POST
consist of 2 tcp segments I have 2 events and 2 packets, from my point of
view would be better to have only one event and packet for reassembled
packet. I have read this thread: http://seclists.org/snort/2012/q4/758, and
2 Years ago it was impossible, so my question is: is it possible to
configure in snort output with unified2 to store reassembled
packets ??

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140617/06026a0d/attachment.html>

More information about the Snort-users mailing list