reassembling transmitted data

["gimmi gionnini" <gimmiqwerty () hotmail com>]

Hi, I'm quite newbie about snort and I have a problem when I log a mail and 
his attachment.
I run my box with snort, mysql, apache, php genereally the last release of 
them
actually i'm logging on a mysql db with only 2 simple rules like

log tcp any 110 > any any
log tcp any any > any 25

and snort.conf with stream4_reassemle: both, ports 25,110
no matter about text data: when I use the 'encoding=ascii' option, I can see 
in the data field of the db the message transmitted in perfect plain text 
and also the sender/receive accounts, with some quoted characters, but with 
info still usable..
the problem is that I don't know how to reconstruct the entire file of a 
non-text attachment as was when posted; there is a way in which I can 
convert ascii payloads (after joining the single data field I suppose..) in 
the exact attachment?
or better, logging in default binary there is a way in which i can 
reassemble the message+attachment and convert this entity with 
bin2-something in something exactly as was when sended?
I don't understand completely neither what I can do logging in tcpdump 
format, also if seems to be a possible way to resolve my problem, nor if I 
can anyway log on the mysql db using log_tcpdump
thank in advance for all explanations & tips




_________________________________________________________________
Chiacchiera con gli amici online, prova MSN Messenger: 
http://messenger.msn.it



-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users