Stream/Packet Capture with Snort

["Paul Melson" <psmelson () comcast net>]

I'm using one of my Snort sensors (v2.3.2 w/ flexresp) to monitor, among
other things, outbound e-mail traffic.  Right now I am logging to a MySQL
database and can view the offending packet data on a per-alert basis.  In
the case of e-mail traffic, packet captures of lengthy messages (say those
with MIME attachments) don't always include the message headers.  

I have been reading up on stream4 and stream4_reassemble, hoping that I can
force Snort to match on (and thus log) the entire "client" side conversation
to the database, but I'm not having any luck.  Here are the preprocessor
lines from my snort.conf file: 

preprocessor stream4: enforce_state disable_evasion_alerts memcap 67108864
preprocessor stream4_reassemble: clientonly, ports 25

Unfortunately, I still only get the packet with the offending string in the
database.  Am I barking up the wrong tree here?

Thanks,
PaulM





-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users