<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Why would you do this?  Just use Snort (or better yet, daemonlogger) to write the pcap traffic to disk.
<div class=""><br class="">
</div>
<div class=""><br class="">
<div apple-content-edited="true" class="">
<div style="margin: 0px; line-height: normal; font-family: 'Lucida Grande';" class="">
--</div>
<div style="margin: 0px; line-height: normal; font-family: 'Lucida Grande';" class="">
<b class="">Joel Esler</b></div>
<div style="margin: 0px; line-height: normal; font-family: 'Lucida Grande';" class="">
Manager, Threat Intelligence Team & Open Source</div>
<div style="margin: 0px; line-height: normal; font-family: 'Lucida Grande';" class="">
Talos Group</div>
<div style="margin: 0px; line-height: normal; font-family: 'Helvetica Neue';" class="">
<a href="http://www.talosintel.com" class="">http://www.talosintel.com</a></div>
</div>
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Aug 25, 2015, at 5:52 PM, Hyun Yoo <<a href="mailto:easetheworld@...11827..." class="">easetheworld@...11827...</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<p dir="ltr" class="">Another question with 'session:binary'.<br class="">
To save all tcp stream, I used a rule<br class="">
"alert tcp any any <> any any (session:binary)"<br class="">
It seems worked except the reassembled result is partly duplicated. for example</p>
<p dir="ltr" class="">220 ESMTP ready<br class="">
EHLO<br class="">
250<br class="">
MAIL From:<<a href="mailto:abc@...17292..." class="">abc@...17292...</a>><br class="">
421<br class="">
QUIT<br class="">
EHLO                    // duplicated<br class="">
MAIL From:<<a href="mailto:abc@...17292..." class="">abc@...17292...</a>> // duplicated</p>
<p dir="ltr" class="">Has anyone used 'session:binary' and seen this issue?<br class="">
Is this the only way to save the whole session?</p>
------------------------------------------------------------------------------<br class="">
_______________________________________________<br class="">
Snort-users mailing list<br class="">
<a href="mailto:Snort-users@lists.sourceforge.net" class="">Snort-users@lists.sourceforge.net</a><br class="">
Go to this URL to change user options or unsubscribe:<br class="">
https://lists.sourceforge.net/lists/listinfo/snort-users<br class="">
Snort-users list archive:<br class="">
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users<br class="">
<br class="">
Please visit http://blog.snort.org to stay current on all the latest Snort news!</div>
</blockquote>
</div>
<br class="">
</div>
</body>
</html>