[Snort-devel] Snort Session re-assembly

Martin Roesch roesch at ...402...
Thu Apr 18 08:35:08 EDT 2002


If you want the single-byte detects for the real scripts that are being
accessed, turn off the rule that's going off, that's Snort's "first exit"
engine doing it's job.  If you want to extend the tracking time for a
session, increase the default timeout value for the stream4 preprocessor:

preprocessor stream4: timeout 3600, detect_scans

The stream reassembly is working exactly as it's designed to, you've got to
understand the available options and how Snort's detection engine works to
make best use of it.

Now, wasn't that easy...

    -Marty


On 4/17/02 2:54 PM, "ktimm at ...364..." <ktimm at ...364...> wrote:

> I've been working with doing some testing on Snort session re-assembly
> using Whisker style splicing. There seems to be some problems with Snorts
> stream re-assembly and how it actually detects attacks. In short , I set it
> up in a lab that allows different time intervals as well as different size
> splices (to avoid the default Snort Whisker rules ). Depending on what is
> sent differnt rules are triggered. When 1 byte splices are sent Whisker
> rules trigger only. When larger splices are sent (I sent some unicode stuff
> for testing since it should lite up the alerts file) I may get a unicode
> alert or I may get scripts access alert. When I lengthen the amount of time
> (whish IIS convienently allows tobe quite large) Snort can be totally
> evaded. In comparison I had a Cisco sensor in the lab as well which
> flawlessy detected all the attacks except the ones which took a significant
> amount of time. This would lead me to believe that the Snort stream re-
> assembly isn't really working correctly. I have port 80 set for re-assembly
> with stream4 and am testing with 1.8.6. I will be happy to send all the
> results and logs off line aas well as conf files and ehatever is needed.
> 
> Any Ideas ?
> 
> 
> Kevin
> 
> 
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 

-- 
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-devel mailing list