[Snort-devel] Multi-Packet detection code

anonpoet jason at ...506...
Fri Aug 17 18:13:36 EDT 2001


Probably.  I just needed something to stop Code Red.  Every now and then
Code Red will break the packets on odd boundaries evading signature
matches.

Hogwash can't use stream4 because it creates large jumbo packets.  The
attacking packets would still get throught while jumbo packets are being
processed. This way I only have to deal with real packets.  

I haven't fully digested the stream4 code.  I was wondering if anyone
could tell me what other cool stuff stream4 does.  I missed most of the
theory discussion and need to play catch-up a little.  What other areas
is snort using its state engine in than signatures across packets?

spp_conversation takes alot less CPU time than stream4, but I wonder if
it still would be cheaper after I the other features.

Jason
jason at ...506...

On 17 Aug 2001 17:36:25 -0400, tlewis at ...255... wrote:
> On 17 Aug 2001, anonpoet wrote:
> 
> > Well, I just started testing an engine that will detect packets across
> > multiple packets.  I'm going to stick it in the next version of Hogwash.
> > I was wondering if anyone here was interested.
> 
> It definitely sounds like an improvement over what snort does presently,
> but I wonder why you would make it part of Hogwash?  Aren't there other
> parts of snort than pattern-matching that could benefit from such
> data continuity?
> 






More information about the Snort-devel mailing list