[Snort-users] HTTP reassembly problem - Snort 184.108.40.206
m.pigulski at ...11827...
Tue Jun 17 17:14:59 EDT 2014
I am new user in mailing list and also new in snort, so firstly I want say
I have configured Snort 220.127.116.11 with daq 2.0.2 and pf_ring 5.6.1. I want
use snort to capture HTTP POST which are forwarded to my system. I have
problem with configuration the output to store the reassembled packets.
When size of HTTP POST is larger then 1500, I can see in my unified2 file
that every tcp segemnt is stored as event and packet, so if HTTP POST
consist of 2 tcp segments I have 2 events and 2 packets, from my point of
view would be better to have only one event and packet for reassembled
packet. I have read this thread: http://seclists.org/snort/2012/q4/758, and
2 Years ago it was impossible, so my question is: is it possible to
configure in snort 18.104.22.168 output with unified2 to store reassembled
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users