Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort session reassembly problem

From: Erek Adams <erek () snort org>
Date: Fri, 7 Mar 2003 12:13:31 -0500 (EST)
On Fri, 7 Mar 2003, gupta_sonali wrote:


I am using snort to do multiple keyword search on a tcpdump file. The
output I need is all the sessions containing those keywords. Thecomplete
session should be stored in case the keyword is found. I specified
session: binary in the conf file, and also tried enabling the stream4
preprocessor.  However, I am facing two problems.


[...snip...]

Simply, Snort can't do that.

You'll need to use something like ethereal's 'follow stream' feature.

Stream4 needs to read packets off of the wire to function correctly.  It
can't do that from a pcap file.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: