Snort mailing list archives
Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs
From: <Joshua.Kinard () us-cert gov>
Date: Wed, 12 Oct 2011 02:54:36 -0500
-----Original Message----- Sent: Saturday, October 08, 2011 4:08 PM Subject: Re: [Snort-devel] 'only_stream' (and other alternate decode buffers) do not write out data to the logs
Not sure when logging of reassembled packets was removed -- maybe 2.2 or even earlier.... Its been a good while, for sure. ;) Snort is only designed to write out the original packets in pcap form -- and not the reassembled packet or arbitrary normalized data that was never actually seen on the wire. This keeps the pcap log as a record of actual on-wire traffic. The unified2 extra data record type was created for the purpose of logging relevant data from the event so it would be useful to
analysts.
For example, Snort can log the normalized HTTP URI, SMTP filenames, email recipients, etc. Almost sounds like using unified2 logging might better serve your purpose...
Okay, I'll give unified2 a try then. Still might want to look into why Snort scribbles out an empty pcap (24-byte header) when alerting on a rule using base64_data/file_data or only_stream (probably only_frag, too) and logging to pcap. That might remove some confusion in the future. Cheers!, --J ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- 'only_stream' (and other alternate decode buffers) do not write out data to the logs Joshua.Kinard (Oct 07)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Joel Esler (Oct 07)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Joshua.Kinard (Oct 07)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Jason Brvenik (Oct 12)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Joshua.Kinard (Oct 07)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Steven Sturges (Oct 08)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Joel Esler (Oct 08)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Joshua.Kinard (Oct 12)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Jason Brvenik (Oct 12)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Joshua.Kinard (Oct 07)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Joel Esler (Oct 07)