Snort mailing list archives
Save reassembled session if keyword is found. 2
From: Hyun Yoo <easetheworld () gmail com>
Date: Wed, 26 Aug 2015 06:52:51 +0900
Another question with 'session:binary'. To save all tcp stream, I used a rule "alert tcp any any <> any any (session:binary)" It seems worked except the reassembled result is partly duplicated. for example 220 ESMTP ready EHLO 250 MAIL From:<abc () def com> 421 QUIT EHLO // duplicated MAIL From:<abc () def com> // duplicated Has anyone used 'session:binary' and seen this issue? Is this the only way to save the whole session?
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Save reassembled session if keyword is found. 2 Hyun Yoo (Aug 25)
- Re: Save reassembled session if keyword is found. 2 Joel Esler (jesler) (Aug 25)
- Re: Save reassembled session if keyword is found. 2 Hyun Yoo (Aug 25)
- Re: Save reassembled session if keyword is found. 2 Joel Esler (jesler) (Aug 25)