Snort mailing list archives
Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs
From: <Joshua.Kinard () us-cert gov>
Date: Fri, 7 Oct 2011 19:26:47 -0500
-----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Friday, October 07, 2011 3:12 PM Subject: Re: [Snort-devel] 'only_stream' (and other alternate decode buffers) do not write out data to the logs
Joshua, I'm not saying what you found isn't a bug, but I am not sure the way
you are doing things will produce the results you are looking for.
Only_stream is a matching function. Meaning, only match the contents
of a rule if it's in the reassembled stream buffer.
If you are looking to LOG extra data, you want the "Tag" rule keyword.
This is why I am seeking clarity... If Snort ISN'T supposed to write out the matching buffer to a pcap file, then the bug is that it writes out an empty pcap file. Although, I don't see why it couldn't write out a pcap file containing the contents of the reassembled Stream5 (or even Frag3) pseudo-packet, or the buffer pointed at by file_data, base64_data, etc. WireShark might make a fuss over it, but it still might prove useful to have. Is there a spot in the source code I can go take a look? I've been more into the detection-plugins stuff and haven't looked at the output plugins or DAQ too much. If I start at the function that actually writes the pcap file out to disk, I can backtrace from there and see what causes this. Thanks!, --J ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2 _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- 'only_stream' (and other alternate decode buffers) do not write out data to the logs Joshua.Kinard (Oct 07)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Joel Esler (Oct 07)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Joshua.Kinard (Oct 07)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Jason Brvenik (Oct 12)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Joshua.Kinard (Oct 07)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Steven Sturges (Oct 08)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Joel Esler (Oct 08)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Joshua.Kinard (Oct 12)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Jason Brvenik (Oct 12)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Joshua.Kinard (Oct 07)
- Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs Joel Esler (Oct 07)