[Snort-devel] Content across multiple packets Not detected by Snort

Dennis George easyeinfo at ...398...
Sun Apr 25 22:21:01 EDT 2004


Hi Marty,
 
I do have installed libpcap library and I am working on Linux 2.4.x
 
Thanks and regards
Dennis

Martin Roesch <roesch at ...402...> wrote:
Got pcaps? What platform?

On Apr 23, 2004, at 4:59 AM, Dennis George wrote:

> Hi all,
>  
> Intro :
> I am working with snort from the last 3 weeks. I am using Snort 2.1.0 
> for content monitoring.
>  
> Problem :
> My problem is that if the content I am monitoring is splitted across 
> two packets then Snort is not detecting it.
>  
> Home Work:
> In my configuration file I have enabled stream4 and stream4_reassemble.
>  
> my snort.conf file
> preprocessor stream4: detect_scans, disable_evasion_alerts, 
> log_flushed_streams
>  
> preprocessor stream4_reassemble
> preprocessor stream4_reassemble : clientonly, ports 25 80 3131
>  
> my rule file
> alert tcp any any -> any any (content: "Hello World"; msg: "Got the 
> message"; nocase;)
>  
> But still it is not detecting my content "Hello World" if it is 
> splitted in two packets.
>  
> Earlier I thought Stream4 is not working so I debugged it.... But 
> stream4 is working fine... It is enabled and it is forming the Session 
> tree (splay tree). But in the Detection engine only packets are sent 
> not the Session tree or the assembled packet......
>  
> Request ::
> So you people please guide me where am I going wrong. Am I looking in 
> the right place (stream4).
>  
> Thanks in advance
> Dennis George
>  
>
> Do you Yahoo!?
> Yahoo! Photos: High-quality 4x6 digital prints for 25¢
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

		
---------------------------------
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25¢
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20040425/0549afca/attachment.html>


More information about the Snort-devel mailing list