[Snort-devel] New feature in snort - mark modified packets

Martin Olsson elof at ...969...
Mon Jun 23 08:58:19 EDT 2003

It would be nice to know if the packet payload one is looking at in ACID
(or tcpdump) is an original packet, an uber-packet or if it is modified in
any way.

Could snort include a label indicating the origin of the logged packet?

Like this:
O = Original packet, not modified
U = This is an uber-packet assembled from stream4
M = Modified packet (some preprocessor have modified the packet and the
    original no longer exist)
A = This is an alternate packet (some preprocessor have modified the
    packet, but the original still exist in memory (when this was logged))
N = Payload does not exist. The alert is built on statistics, counters,

...or maybe this is better:

A field containing a list of all the functions that have modified the
packet in some way. Maybe several preprocessors (and some output plugin)
have modified the packet between the capture and the log, then just one
position for the label is not enough.

When the packet is captured from the interface the list contain only:
As it passes through the preprocessors they add a label if they have
modified it.
"Original --> modified(rpc_decode)"
"Original --> alternate(telnet_decode) --> uber-packet(stream4)"

The above would be the parsed text. The logged data would be much smaller
since O, U, M, A and N as well as the preprocessors have numeric
representations (see the file generators).

I hope this could be included in snort. I think it would add to the
understanding of the alert when analyzed by an operator.

Anyone else think this is a good idea?

Martin Olsson
Sentor AB, Sweden

More information about the Snort-devel mailing list