[Snort-users] Save reassembled session if keyword is found. 2

Hyun Yoo easetheworld at ...11827...
Tue Aug 25 17:52:51 EDT 2015


Another question with 'session:binary'.
To save all tcp stream, I used a rule
"alert tcp any any <> any any (session:binary)"
It seems worked except the reassembled result is partly duplicated. for
example

220 ESMTP ready
EHLO
250
MAIL From:<abc at ...17292...>
421
QUIT
EHLO                    // duplicated
MAIL From:<abc at ...17292...> // duplicated

Has anyone used 'session:binary' and seen this issue?
Is this the only way to save the whole session?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150826/ce806648/attachment.html>


More information about the Snort-users mailing list