Hosting Provided By

Re: [Snort-sigs] logging session using tagging

From: Erek Adams <erek(at)snort.org>
Date: Tue Apr 29 2003 - 09:43:37 EDT

On Mon, 28 Apr 2003, Christophe VG wrote:

[...snip...]

> 2. I only see the src's side of the session being logged

[...snip...]

> One good thing is that I also have the HELO which occured in front of

>From Snort.conf:

  # tcp stream reassembly directive
  # no arguments loads the default configuration
  #   Only reassemble the client,
  #   Only reassemble the default list of ports (See below),
  #   Give alerts for "bad" streams

And I'll bet that you're just using default options on stream4_reassemble. :) Have a look a few lines down in the .conf and you'll see this:

Do you need help?

# both - reassemble both sides of a session

There ya go.

Cheers!

Erek Adams

"When things get weird, the weird turn pro." H.S. Thompson

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Tue Apr 29 10:26:04 2003

This message: [ Message body ]
Next message: Erik Alexander Løkken: "Re: [Snort-sigs] False Positive on SMTP HELO Overflow"
Previous message: Christophe VG: "Re: [Snort-sigs] logging session using tagging"
In reply to Christophe VG: "[Snort-sigs] logging session using tagging"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:27 EDT