[Snort-devel] New feature in snort - mark modified packets

Martin Olsson elof at ...969...
Mon Jul 7 06:16:21 EDT 2003

On Fri, 27 Jun 2003, Chris Green wrote:
> Martin Olsson <elof at ...969...> writes:
> > It would be nice to know if the packet payload one is looking at in ACID
> > (or tcpdump) is an original packet, an uber-packet or if it is modified in
> > any way.
> tcpdump is not really doable other than overloading some header field.

That's messy. Just let the packet be and put the information in the
related alert instead.

> acid is doable but requires changes to
>  1) spo_database
>  2) ACID
>  3) all the parts of snort that touch a packet flag parameter (
>     probably would have a new set of packet marks )
>  4) barnyard

Yepp, many of my requests for new features require quite a lot of work,
but I think many of them (this is one of them) are so important that
it should be done anyway.
I mean, when you have a SOC and an operator staring at alerts all day,
it's nice to make his life as easy as possible. By including
packet-modification info in the alert, it's much easier for the operator
to understand what he's looking at and understanding why the packet look
like it does.

> > Could snort include a label indicating the origin of the logged
> > packet?
> > Like this:
> > O = Original packet, not modified
> > U = This is an uber-packet assembled from stream4
> > M = Modified packet (some preprocessor have modified the packet and the
> >     original no longer exist)
> The M's really should go away eventually.  Only telnet & rpc decode
> still act in that way I believe.

My thought exactly. By including this new tag we get a bonus: all the
authors of plugins generating "M" would get an extra push to rewrite the
code, using the Alternate packet standard instead. :)

> > Anyone else think this is a good idea?
> It is a good idea. Just a lot of work :)



More information about the Snort-devel mailing list