RE: uricontent option in 1.9 vs 1.8.6

[David Gordon <dgordon () mmwec org>]

Chris Green <cmg () sourcefire com> writes:

> It needs both sides of the conversation with preprocessor stream4:
> enabled

It's seeing both sides of the conversation, and I have the following line in
my conf file:

preprocessor stream4: detect_scans, disable_evasion_alerts

I suppose the limited snaplen could be causing data that would identify this
as URI content to be lost. 
I'll see if I can examine the packet data to understand what's going on.

In the meantime, I've changed my configuration so that instead of capturing
data with tcpdump and later running it through snort, I run snort and log it
with -b switch. Is this a better way to do it? I guess the files will be
_much_ larger.

David Gordon


-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users