Snort mailing list archives
Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 7 Oct 2011 15:12:13 -0400
On Oct 7, 2011, at 3:08 AM, <Joshua.Kinard () us-cert gov> <Joshua.Kinard () us-cert gov> wrote:
Hi snort-devel, I think I've found another bug. There have been times when I wanted to dump a Stream5-reassembled packet back out to the log files to inspect it in Wireshark, and when using 'flow:established,only_stream;', all I get out is a 24-byte file, which is just the pcap header, but no data. I later discovered the same is true when using other decode buffers, such as b64_decode_depth in the SMTP preprocessor and 'file_data;' in a rule -- the alerts write out a 24-byte file and nothing else. Is there a solution/workaround for this? Or where in the code can the function for writing out pcap data be found?
Joshua, I'm not saying what you found isn't a bug, but I am not sure the way you are doing things will produce the results you are looking for. Only_stream is a matching function. Meaning, only match the contents of a rule if it's in the reassembled stream buffer. If you are looking to LOG extra data, you want the "Tag" rule keyword. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2 _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- 'only_stream' (and other alternate decode buffers) do not write out data to the logs Joshua.Kinard (Oct 07)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Joel Esler (Oct 07)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Joshua.Kinard (Oct 07)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Jason Brvenik (Oct 12)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Joshua.Kinard (Oct 07)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Steven Sturges (Oct 08)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Joel Esler (Oct 08)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Joshua.Kinard (Oct 12)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Jason Brvenik (Oct 12)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Joshua.Kinard (Oct 07)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Joel Esler (Oct 07)