[Snort-users] HTTP reassembly problem - Snort 2.9.6.1

Mateusz Pigulski m.pigulski at ...11827...
Sun Jun 22 16:00:01 EDT 2014


Hello, anybody knows this issue ??


2014-06-17 23:14 GMT+02:00 Mateusz Pigulski <m.pigulski at ...11827...>:

>
> Hi experts!!!
>
> I am new user in mailing list and also new in snort, so firstly I want say
> Hello!!.
> I have configured Snort 2.9.6.1 with daq 2.0.2 and pf_ring 5.6.1. I want
> use snort to capture HTTP POST which are forwarded to my system. I have
> problem with configuration the output to store the reassembled packets.
> When size of HTTP POST is larger then 1500, I can see in my unified2 file
> that every tcp segemnt is stored as event and packet, so if HTTP POST
> consist of 2 tcp segments I have 2 events and 2 packets, from my point of
> view would be better to have only one event and packet for reassembled
> packet. I have read this thread: http://seclists.org/snort/2012/q4/758,
> and 2 Years ago it was impossible, so my question is: is it possible to
> configure in snort 2.9.6.1 output with unified2 to store reassembled
> packets ??
>
> -------------
> BR
> Mateusz
>



-- 

------------
Mateusz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140622/a1ea5212/attachment.html>


More information about the Snort-users mailing list