[Snort-devel] New feature in snort - mark modified packets
cmg at ...402...
Fri Jun 27 05:40:13 EDT 2003
Martin Olsson <elof at ...969...> writes:
> It would be nice to know if the packet payload one is looking at in ACID
> (or tcpdump) is an original packet, an uber-packet or if it is modified in
> any way.
tcpdump is not really doable other than overloading some header field.
acid is doable but requires changes to
3) all the parts of snort that touch a packet flag parameter (
probably would have a new set of packet marks )
> Could snort include a label indicating the origin of the logged
> Like this:
> O = Original packet, not modified
> U = This is an uber-packet assembled from stream4
> M = Modified packet (some preprocessor have modified the packet and the
> original no longer exist)
Do able right now. Frag2 is not doable at the moment however and
requires a bit of work to get around it. It's not unworkable, just a
The M's really should go away eventually. Only telnet & rpc decode
still act in that way I believe.
> Anyone else think this is a good idea?
It is a good idea. Just a lot of work :)
Chris Green <cmg at ...402...>
You now have 14 minutes to reach minimum safe distance.
More information about the Snort-devel