[Snort-devel] New feature in snort - mark modified packets
elof at ...969...
Mon Jun 23 08:58:19 EDT 2003
It would be nice to know if the packet payload one is looking at in ACID
(or tcpdump) is an original packet, an uber-packet or if it is modified in
Could snort include a label indicating the origin of the logged packet?
O = Original packet, not modified
U = This is an uber-packet assembled from stream4
M = Modified packet (some preprocessor have modified the packet and the
original no longer exist)
A = This is an alternate packet (some preprocessor have modified the
packet, but the original still exist in memory (when this was logged))
N = Payload does not exist. The alert is built on statistics, counters,
...or maybe this is better:
A field containing a list of all the functions that have modified the
packet in some way. Maybe several preprocessors (and some output plugin)
have modified the packet between the capture and the log, then just one
position for the label is not enough.
When the packet is captured from the interface the list contain only:
As it passes through the preprocessors they add a label if they have
"Original --> modified(rpc_decode)"
"Original --> alternate(telnet_decode) --> uber-packet(stream4)"
The above would be the parsed text. The logged data would be much smaller
since O, U, M, A and N as well as the preprocessors have numeric
representations (see the file generators).
I hope this could be included in snort. I think it would add to the
understanding of the alert when analyzed by an operator.
Anyone else think this is a good idea?
Sentor AB, Sweden
More information about the Snort-devel