Re: log_flushed_streams with Stream5

[Joel Esler <eslerj () gmail com>]

Take a look at the readme for stream5 in the tarball of Snort.  It's located
in the /doc directory.
Paste:

- Preprocessor name: stream5_global
- Options:
    track_tcp <yes|no>      - Track sessions for TCP.  The default is "yes".
    max_tcp <number>        - Max concurrent sessions for TCP.  The default
                              is "256000", maximum is "1052672", minimum is
"1".
    memcap <bytes>          - Memcap for TCP packet storage.  The default
                              is "8388608" (8MB), maximum is "1073741824"
(1GB),
                              minimum is "32768" (32KB).
    track_udp <yes|no>      - Track sessions for UDP.  The default is "yes".
    max_udp <number>        - Max concurrent sessions for UDP.  The default
                              is "128000", maximum is "1052672", minimum is
"1".
    track_icmp <yes|no>     - Track sessions for ICMP.  The default is
"yes".
    max_icmp <number>       - Max concurrent sessions for ICMP.  The default
                              is "64000", maximum is "1052672", minimum is
"1".
*    flush_on_alert          - Backwards compatibility.  Flush a TCP stream*
*                              when an alert is generated on that stream.
 The*
*                              default is set to off.*
    show_rebuilt_packets    - Print/display packet after rebuilt (for
                              debugging).  The default is set to off.
    prune_log_max <bytes>   - Print a message when a session terminates that
                              was consuming more than the specified number
of
                              bytes.  The default is "1048576" (1MB),
minimum
                              is "0" (unlimited), maximum is not bounded,
other
                              than by the memcap.


Thanks.

J

On Sat, Mar 7, 2009 at 11:18 AM, phez asap <phez.asap () gmail com> wrote:

> Hi all
>
> I was using the "log_flushed_streams" option with stream4/flow to do a pcap
> dump of streams that triggered a rule. I am trying to switch over to using
> the Stream5 preprocessor but it does not seem to support this. It is very
> useful and I have to guess it is still possible to do this. Is there a new
> way that this is being set up now when using stream5?
>
> I tried posting this to the list before but it looked like it did not work.
> Sorry if this is a double post.
>
> =Mike=
>
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco,
> CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the
> Enterprise
> -Strategies to boost innovation and cut costs with open source
> participation
> -Receive a $600 discount off the registration fee with the source code:
> SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
Joel Esler
T: 302-223-5974 (-) Gtalk: jesler () sourcefire com
[m]

------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users