Re: Save reassembled session if keyword is found. 2

["Joel Esler (jesler)" <jesler () cisco com>]

Why would you do this?  Just use Snort (or better yet, daemonlogger) to write the pcap traffic to disk.


--
Joel Esler
Manager, Threat Intelligence Team & Open Source
Talos Group
http://www.talosintel.com

On Aug 25, 2015, at 5:52 PM, Hyun Yoo <easetheworld () gmail com<mailto:easetheworld () gmail com>> wrote:


Another question with 'session:binary'.
To save all tcp stream, I used a rule
"alert tcp any any <> any any (session:binary)"
It seems worked except the reassembled result is partly duplicated. for example

220 ESMTP ready
EHLO
250
MAIL From:<abc () def com<mailto:abc () def com>>
421
QUIT
EHLO                    // duplicated
MAIL From:<abc () def com<mailto:abc () def com>> // duplicated

Has anyone used 'session:binary' and seen this issue?
Is this the only way to save the whole session?

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!