Take a look at the readme for stream5 in the tarball of Snort. It's located in the /doc directory.<div><br></div><div>Paste:</div><div><br></div><div><div>- Preprocessor name: stream5_global</div><div>- Options:</div>
<div> track_tcp <yes|no> - Track sessions for TCP. The default is "yes".</div><div> max_tcp <number> - Max concurrent sessions for TCP. The default</div><div> is "256000", maximum is "1052672", minimum is "1".</div>
<div> memcap <bytes> - Memcap for TCP packet storage. The default</div><div> is "8388608" (8MB), maximum is "1073741824" (1GB),</div><div> minimum is "32768" (32KB).</div>
<div> track_udp <yes|no> - Track sessions for UDP. The default is "yes".</div><div> max_udp <number> - Max concurrent sessions for UDP. The default</div><div> is "128000", maximum is "1052672", minimum is "1".</div>
<div> track_icmp <yes|no> - Track sessions for ICMP. The default is "yes".</div><div> max_icmp <number> - Max concurrent sessions for ICMP. The default</div><div> is "64000", maximum is "1052672", minimum is "1".</div>
<div><b> flush_on_alert - Backwards compatibility. Flush a TCP stream</b></div><div><b> when an alert is generated on that stream. The</b></div><div><b> default is set to off.</b></div>
<div> show_rebuilt_packets - Print/display packet after rebuilt (for</div><div> debugging). The default is set to off.</div><div> prune_log_max <bytes> - Print a message when a session terminates that</div>
<div> was consuming more than the specified number of</div><div> bytes. The default is "1048576" (1MB), minimum</div><div> is "0" (unlimited), maximum is not bounded, other</div>
<div> than by the memcap.</div><div><br></div><div><br></div><div>Thanks.</div><div><br></div><div>J</div><br><div class="gmail_quote">On Sat, Mar 7, 2009 at 11:18 AM, phez asap <span dir="ltr"><<a href="mailto:phez.asap@...14459.....">phez.asap@...11827...</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Hi all<br><br>I was using the "log_flushed_streams" option with stream4/flow to do a pcap dump of streams that triggered a rule. I am trying to switch over to using the Stream5 preprocessor but it does not seem to support this. It is very useful and I have to guess it is still possible to do this. Is there a new way that this is being set up now when using stream5?<br>
<br>I tried posting this to the list before but it looked like it did not work. Sorry if this is a double post.<br><br>=Mike=<br>
<br>------------------------------------------------------------------------------<br>
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA<br>
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise<br>
-Strategies to boost innovation and cut costs with open source participation<br>
-Receive a $600 discount off the registration fee with the source code: SFAD<br>
<a href="http://p.sf.net/sfu/XcvMzF8H" target="_blank">http://p.sf.net/sfu/XcvMzF8H</a><br>_______________________________________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@...4626...ceforge.net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users<br>
Snort-users</a> list archive:<br>
<a href="http://www.geocrawler.com/redir-sf.php3?list=snort-users" target="_blank">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a><br></blockquote></div><br><br clear="all"><br>-- <br>Joel Esler<br>T: 302-223-5974 (-) Gtalk: <a href="mailto:jesler@...1935...">jesler@...14182.....</a><br>
[m]<br>
</div>