[Snort-devel] New feature in snort - mark modified packets

Chris Green cmg at ...402...
Fri Jun 27 05:40:13 EDT 2003

Martin Olsson <elof at ...969...> writes:

> It would be nice to know if the packet payload one is looking at in ACID
> (or tcpdump) is an original packet, an uber-packet or if it is modified in
> any way.

tcpdump is not really doable other than overloading some header field.

acid is doable but requires changes to

 1) spo_database
 2) ACID
 3) all the parts of snort that touch a packet flag parameter (
    probably would have a new set of packet marks )
 4) barnyard

> Could snort include a label indicating the origin of the logged
> packet?

> Like this:
> O = Original packet, not modified
> U = This is an uber-packet assembled from stream4
> M = Modified packet (some preprocessor have modified the packet and the
>     original no longer exist)

Do able right now.  Frag2 is not doable at the moment however and
requires a bit of work to get around it.  It's not unworkable, just a

The M's really should go away eventually.  Only telnet & rpc decode
still act in that way I believe.

> Anyone else think this is a good idea?

It is a good idea. Just a lot of work :)
Chris Green <cmg at ...402...>
You now have 14 minutes to reach minimum safe distance.

More information about the Snort-devel mailing list