Snort mailing list archives

Previous By Date Next
Previous By Thread Next

über-packet

From: elof () sentor se
Date: Fri, 4 Mar 2011 12:16:08 +0100 (CET)

Hi!
Many years ago, snort logged stream-matches as an über-packet, i.e. a packet far bigger than the normal max 1500 bytes frame size. 

The size of such über-packet events was usually 64kB.

Q1: Is this behavior completely decapricated?
I guess it is, and that it is replaced with a function that dump the individual packets that are part of the stream instead. 
Q2: Correct?
Q3: Is there any way to configure snort to do it the old way? I.e. log one (1) large über-packet with a copy of the whole stream-buffer instead of e.g. 14 small packets? 


(nowdays I'm using unified2)
------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Previous By Date Next
Previous By Thread Next

Current thread: