[Snort-users] HTTP reassembly problem - Snort 2.9.6.1

Joel Esler (jesler) jesler at ...589...
Sun Jun 22 18:33:35 EDT 2014


Do you have packet captures and a configuration we can use to reproduce the issue?

--
Joel Esler
Sent from my iPhone

On Jun 22, 2014, at 16:04, "Mateusz Pigulski" <m.pigulski at ...11827...<mailto:m.pigulski at ...11827...>> wrote:

Hello, anybody knows this issue ??


2014-06-17 23:14 GMT+02:00 Mateusz Pigulski <m.pigulski at ...11827...<mailto:m.pigulski at ...11827...>>:

Hi experts!!!

I am new user in mailing list and also new in snort, so firstly I want say Hello!!.
I have configured Snort 2.9.6.1 with daq 2.0.2 and pf_ring 5.6.1. I want use snort to capture HTTP POST which are forwarded to my system. I have problem with configuration the output to store the reassembled packets. When size of HTTP POST is larger then 1500, I can see in my unified2 file that every tcp segemnt is stored as event and packet, so if HTTP POST consist of 2 tcp segments I have 2 events and 2 packets, from my point of view would be better to have only one event and packet for reassembled packet. I have read this thread: http://seclists.org/snort/2012/q4/758, and 2 Years ago it was impossible, so my question is: is it possible to configure in snort 2.9.6.1 output with unified2 to store reassembled packets ??

-------------
BR
Mateusz



--

------------
Mateusz
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140622/13ac7ebb/attachment.html>


More information about the Snort-users mailing list