newbie question on Stream4 preprocessing - missing last packet

["Dan O'Keefe" <dokeefe () attbi com>]

Hi

I am a new user of Snort, and was very interested in using it because of the tcp stream reassembly capabilities. Right 
now, 
I am using snort to trap a full message (composed of multiple tcp packets with the tcp stream re-assembled) based on a 
portion of the content of the message. To do this, I am using the stream4 pre-processing.


Basically, I want to alert only on the full, re-assembled stream ( applying rules only AFTER it has been fully 
assembled) and dump it to a log.

It almost works fine, except for one problem - all the packets except the last one get logged. The last packet ends up 
getting jammed into the beginning of the next logged message. Its almost as if when the message is logged, it forgets 
to write out the last packet and so that packet remains in memory for the next logged message.

My config file has the settings:
===========================================
config stateful
config quiet
config dump_payload
preprocessor stream4
preprocessor stream4_reassemble: both ports "all"
noalerts

My rule uses the options:
====================================
flow:established,only_stream; content: "|3C3F786D6C|";


Average reassembled message size to be logged is about 10k.

Anyone got any ideas? I've tried all sorts of configuration settings but this behavior seems to be pretty consistent. I 
hope I'm doing something daft.

Thanks for any help.
Dan O'Keefe