[Snort-devel] New feature in snort - mark modified packets
elof at ...969...
Mon Jul 7 06:16:21 EDT 2003
On Fri, 27 Jun 2003, Chris Green wrote:
> Martin Olsson <elof at ...969...> writes:
> > It would be nice to know if the packet payload one is looking at in ACID
> > (or tcpdump) is an original packet, an uber-packet or if it is modified in
> > any way.
> tcpdump is not really doable other than overloading some header field.
That's messy. Just let the packet be and put the information in the
related alert instead.
> acid is doable but requires changes to
> 1) spo_database
> 2) ACID
> 3) all the parts of snort that touch a packet flag parameter (
> probably would have a new set of packet marks )
> 4) barnyard
Yepp, many of my requests for new features require quite a lot of work,
but I think many of them (this is one of them) are so important that
it should be done anyway.
I mean, when you have a SOC and an operator staring at alerts all day,
it's nice to make his life as easy as possible. By including
packet-modification info in the alert, it's much easier for the operator
to understand what he's looking at and understanding why the packet look
like it does.
> > Could snort include a label indicating the origin of the logged
> > packet?
> > Like this:
> > O = Original packet, not modified
> > U = This is an uber-packet assembled from stream4
> > M = Modified packet (some preprocessor have modified the packet and the
> > original no longer exist)
> The M's really should go away eventually. Only telnet & rpc decode
> still act in that way I believe.
My thought exactly. By including this new tag we get a bonus: all the
authors of plugins generating "M" would get an extra push to rewrite the
code, using the Alternate packet standard instead. :)
> > Anyone else think this is a good idea?
> It is a good idea. Just a lot of work :)
More information about the Snort-devel