Re: 'only_stream' (and other alternate decode buffers) do not write out data to the logs

[<Joshua.Kinard () us-cert gov>]

-----Original Message-----
From: Jason Brvenik [mailto:jason.brvenik () sourcefire com] 
Sent: Friday, October 07, 2011 8:51 PM
Subject: Re: [Snort-devel] 'only_stream' (and other alternate
         decode buffers) do not write out data to the logs

> AFAIK psuedo packet logging is gone and has been for a while.
> The only output method that supports this (differently mind
> you) is unified2.
>
> If you log to unified2 it will log the event and the packet(s)
> that made up the event. In your case these should be the
> packets that created the reassembled pseudo packet. 

Interesting.  Do you know of a particular date this might have happened
around?  I'd like to go dig into CVS and maybe re-integrate the code and
try it out.  Could've been a problem with it initially that forced the
removal.

I haven't played with unified2 that much.  I typically just log to
straight libpcap files and analyze them in WireShark.


Thanks!,

--J

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2dcopy2
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!