Re: [Snort-sigs] logging session using tagging

From: Christophe VG <snort-rules(at)valid.be>
Date: Tue Apr 29 2003 - 09:46:10 EDT

On Tue, 2003-04-29 at 15:43, Erek Adams wrote:
> And I'll bet that you're just using default options on stream4_reassemble.
> :) Have a look a few lines down in the .conf and you'll see this:
>
> # both - reassemble both sides of a session
>
> There ya go.

that was what I thought ... so my config looks like this:

# tcp stream reassembly directive
# no arguments loads the default configuration
#   Only reassemble the client,
#   Only reassemble the default list of ports (See below),
#   Give alerts for "bad" streams
#
# Available options (comma delimited):
# clientonly - reassemble traffic for the client side of a connection...
# serveronly - reassemble traffic for the server side of a connection...
# both - reassemble both sides of a session
# noalerts - turn off alerts from the stream reassembly stage of stream4
# ports [list] - use the space separated list of ports in [list], "all"
#            will turn on reassembly for all ports, "default" will turn
#            on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111
#            and 513

preprocessor stream4_reassemble: both, ports all

Christophe VG

---

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Tue Apr 29 10:25:59 2003