[Snort-devel] Content across multiple packets Not detected by Snort

Dennis George easyeinfo at ...398...
Fri Apr 23 23:51:02 EDT 2004


Hi Abhijit,
 
I am not talking about packet fragmentation. I will give you a scenario.... When you send a huge data.. the data cannot be sent in a single packet but in multiple packets.... thus if your key word is splitted in two packets then snort is not detecting it......
 
frag2 is for fragmentation (a single packet splitted in many fragments)
 
And Sorry I didn't find anything like tcp_reassemble in snort.... I searched the internet also....
Is it supported in Snort 2.1.0 ?????
 
Thanks and Regards
Dennis

abhijit deodhar <abhideodhar at ...2224...> wrote:
Hello,
I have been working on Snort code for past 7-8 months.
I think u r looking into the wrong preprocessor.
Try out tcp_reassemble or frag2 preprocessor.
Bcoz that handles the fragmentation of packets.

if it doesn.t work then in the decode.h you can see
that snort appends ip fragmented packets to it's own
structure packet. tru out that first. error will be
surely there.


Bye
Abhijit

--- Dennis George wrote: > Hi
all,
> 
> Intro :
> I am working with snort from the last 3 weeks. I am
> using Snort 2.1.0 for content monitoring.
> 
> Problem :
> My problem is that if the content I am monitoring is
> splitted across two packets then Snort is not
> detecting it.
> 
> Home Work:
> In my configuration file I have enabled stream4 and
> stream4_reassemble.
> 
> my snort.conf file
> preprocessor stream4: detect_scans,
> disable_evasion_alerts, log_flushed_streams
> 
> preprocessor stream4_reassemble
> preprocessor stream4_reassemble : clientonly, ports
> 25 80 3131
> 
> my rule file
> alert tcp any any -> any any (content: "Hello
> World"; msg: "Got the message"; nocase;)
> 
> But still it is not detecting my content "Hello
> World" if it is splitted in two packets.
> 
> Earlier I thought Stream4 is not working so I
> debugged it.... But stream4 is working fine... It is
> enabled and it is forming the Session tree (splay
> tree). But in the Detection engine only packets are
> sent not the Session tree or the assembled
> packet......
> 
> Request ::
> So you people please guide me where am I going
> wrong. Am I looking in the right place (stream4).
> 
> Thanks in advance
> Dennis George
> 
> 

		
---------------------------------
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25¢
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20040423/f19f1e34/attachment.html>


More information about the Snort-devel mailing list