Snort mailing list archives
über-packet
From: elof () sentor se
Date: Fri, 4 Mar 2011 12:16:08 +0100 (CET)
Hi!Many years ago, snort logged stream-matches as an über-packet, i.e. a packet far bigger than the normal max 1500 bytes frame size.
The size of such über-packet events was usually 64kB. Q1: Is this behavior completely decapricated?I guess it is, and that it is replaced with a function that dump the individual packets that are part of the stream instead.
Q2: Correct?Q3: Is there any way to configure snort to do it the old way? I.e. log one (1) large über-packet with a copy of the whole stream-buffer instead of e.g. 14 small packets?
(nowdays I'm using unified2)
------------------------------------------------------------------------------ What You Don't Know About Data Connectivity CAN Hurt You This paper provides an overview of data connectivity, details its effect on application quality, and explores various alternative solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- über-packet elof (Mar 04)
- Re: über-packet Chris Wilson (Mar 04)