[Snort-devel] spp_tcp_stream.c

Christopher Cramer cec at ...56...
Thu Sep 21 17:12:55 EDT 2000


I was hoping to get some advice.  I sent y'all the spp_tcp_stream.c
preprocessor a couple of days ago and way wondering if you had had a
chance to try it out (or at least look at it). 

I've been running it over here without any stability issues.

However, one problem I see with the preprocessor is that on monitored
ports one can get two alerts on the same attack signature.  The reason is
that if the attack is not a stealth attack (i.e. no one has broken the
attack up into multiple tcp packets) the original packet itself generates
an alert.  Then, the dummy packet based on the reconstructed stream will
get sent later on and also generate an alert.

There are a few ways I see around this.  One would be to have the stream
preprocessor ignore larger packets.  However, this would make
reconstruction on later small packets difficult or impossible.  Another
way is to truncate the data of the original packet, but send the packet
through with it's port, ip addresses, flags, etc.  From a detection
standpoint, this shouldn't be a problem since the data itself will be
passed along shortly in the form of a reconstructed packet.  The last
alternative is to suck it up and deal w/ two alerts on certain attacks.

Any thoughts?  Suggestions?

Thanks,
Chris






More information about the Snort-devel mailing list