Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs

[Jason Brvenik <jason.brvenik () sourcefire com>]

AFAIK psuedo packet logging is gone and has been for a while. The only
output method that supports this (differently mind you) is unified2.

If you log to unified2 it will log the event and the packet(s) that made up
the event. In your case these should be the packets that created the
reassembled pseudo packet.
On Oct 7, 2011 8:30 PM, <Joshua.Kinard () us-cert gov> wrote:
> -----Original Message-----
> From: Joel Esler [mailto:jesler () sourcefire com]
> Sent: Friday, October 07, 2011 3:12 PM
> Subject: Re: [Snort-devel] 'only_stream' (and other alternate decode
> buffers) do not write out data to the logs
>
> > Joshua,
> >
> > I'm not saying what you found isn't a bug, but I am not sure the way
> you are doing things will produce the results you are looking for.
> > Only_stream is a matching function. Meaning, only match the contents
> of a rule if it's in the reassembled stream buffer.
> > If you are looking to LOG extra data, you want the "Tag" rule keyword.
>
> This is why I am seeking clarity... If Snort ISN'T supposed to write
> out the matching buffer to a pcap file, then the bug is that it writes
> out an empty pcap file. Although, I don't see why it couldn't write out
> a pcap file containing the contents of the reassembled Stream5 (or even
> Frag3) pseudo-packet, or the buffer pointed at by file_data,
> base64_data, etc. WireShark might make a fuss over it, but it still
> might prove useful to have.
>
> Is there a spot in the source code I can go take a look? I've been more
> into the detection-plugins stuff and haven't looked at the output
> plugins or DAQ too much. If I start at the function that actually
> writes the pcap file out to disk, I can backtrace from there and see
> what causes this.
>
> Thanks!,
>
> --J
------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2dcopy2
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!