next up previous contents
Next: resp Up: session Previous: Example   Contents


Using the session keyword can slow Snort down considerably, so it should not be used in heavy load situations. The session keyword is best suited for post-processing binary (pcap) log files.

The binary keyword does not log any protocol headers below the application layer, and Stream reassembly will cause duplicate data when the reassembled packets are logged.

Eugene Misnik 2013-05-08