[Snort-devel] spp_tcp_stream.c

James Hoagland hoagland at ...60...
Thu Sep 21 20:08:33 EDT 2000


I understand your problem.

Without having looked at your preprocessor and with only inferring 
its purpose from this message :), I'd say what you would want is to 
be able to somehow mark a packet that are you are storing with a flag 
that tells the detection components of Snort (rules, portscan 
detector, Spade, etc) not to consider the packet and promises that 
you'll send it through later on.  I do not believe this exists 
presently in Snort.

Note that even if you truncate the data portion of the packet, you 
might get multiple alerts if the signature is based solely on ports, 
IPs and flags.

I hope I understood right.  Just my 2c in any case.

-- Jim

At 5:12 PM -0400 9/21/00, Christopher Cramer wrote:
>I was hoping to get some advice.  I sent y'all the spp_tcp_stream.c
>preprocessor a couple of days ago and way wondering if you had had a
>chance to try it out (or at least look at it).
>I've been running it over here without any stability issues.
>However, one problem I see with the preprocessor is that on monitored
>ports one can get two alerts on the same attack signature.  The reason is
>that if the attack is not a stealth attack (i.e. no one has broken the
>attack up into multiple tcp packets) the original packet itself generates
>an alert.  Then, the dummy packet based on the reconstructed stream will
>get sent later on and also generate an alert.
>There are a few ways I see around this.  One would be to have the stream
>preprocessor ignore larger packets.  However, this would make
>reconstruction on later small packets difficult or impossible.  Another
>way is to truncate the data of the original packet, but send the packet
>through with it's port, ip addresses, flags, etc.  From a detection
>standpoint, this shouldn't be a problem since the data itself will be
>passed along shortly in the form of a reconstructed packet.  The last
>alternative is to suck it up and deal w/ two alerts on certain attacks.
>Any thoughts?  Suggestions?
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net

|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...60...                *|
|*  Voice: (707) 445-4355 x13          Fax: (707) 445-4222  *|

More information about the Snort-devel mailing list