'only_stream' (and other alternate decode buffers) do not write out data to the logs

[<Joshua.Kinard () us-cert gov>]

Hi snort-devel,

I think I've found another bug.  There have been times when I wanted to
dump a Stream5-reassembled packet back out to the log files to inspect
it in Wireshark, and when using 'flow:established,only_stream;', all I
get out is a 24-byte file, which is just the pcap header, but no data.
I later discovered the same is true when using other decode buffers,
such as b64_decode_depth in the SMTP preprocessor and 'file_data;' in a
rule -- the alerts write out a 24-byte file and nothing else.

Is there a solution/workaround for this?  Or where in the code can the
function for writing out pcap data be found?


Thanks!,

--J

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2dcopy2
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!