Re: snort session reassembly problem

[Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>]

Hi Erek,

Erek Adams wrote:
> On Fri, 7 Mar 2003, gupta_sonali wrote:
>
>
> > I am using snort to do multiple keyword search on a tcpdump file. The
> > output I need is all the sessions containing those keywords. Thecomplete
> > session should be stored in case the keyword is found. I specified
> > session: binary in the conf file, and also tried enabling the stream4
> > preprocessor.  However, I am facing two problems.
>
>
> [...snip...]
>
> Simply, Snort can't do that.
>
> You'll need to use something like ethereal's 'follow stream' feature.
>
> Stream4 needs to read packets off of the wire to function correctly.  It
> can't do that from a pcap file.

Would you please explain that. Why is it so? What is the difference?

Reading the information from a file sequentially should not be really that
different from reading it off the wire.

What do in that case the information given by Snort mean after the file has
been processed?

Regards,

Edin

> Cheers!

--
Edin Dizdarevic



-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users