[Snort-devel] Content across multiple packets Not detected by Snort
roesch at ...402...
Mon Apr 26 06:05:23 EDT 2004
No, I meant do you have binary packet capture files (pcaps) of the
traffic that you're having trouble with? To generate them simply, run
'tcpdump -w packets.pcap' and run your traffic, that should record the
traffic and put it in a format that can be played back through Snort.
On Apr 26, 2004, at 1:20 AM, Dennis George wrote:
> Hi Marty,
> I do have installed libpcap library and I am working on Linux 2.4.x
> Thanks and regards
> Martin Roesch <roesch at ...402...> wrote:
> Got pcaps? What platform?
> On Apr 23, 2004, at 4:59 AM, Dennis George wrote:
> > Hi all,
> > Intro :
> > I am working with snort from the last 3 weeks. I am using Snort 2.1.0
> > for content monitoring.
> > Problem :
> > My problem is that if the content I am monitoring is splitted across
> > two packets then Snort is not detecting it.
> > Home Work:
> > In my configuration file I have enabled stream4 and
> > my snort.conf file
> > preprocessor stream4: detect_scans, disable_evasion_alerts,
> > log_flushed_streams
> > preprocessor stream4_reassemble
> > preprocessor stream4_reassemble : clientonly, ports 25 80 3131
> > my rule file
> > alert tcp any any -> any any (content: "Hello World"; msg: "Got the
> > message"; nocase;)
> > But still it is not detecting my content "Hello World" if it is
> > splitted in two packets.
> > Earlier I thought Stream4 is not working so I debugged it.... But
> > stream4 is working fine... It is enabled and it is forming the
> > tree (splay tree). But in the Detection engine only packets are sent
> > not the Session tree or the assembled packet......
> > Request ::
> > So you people please guide me where am I going wrong. Am I looking in
> > the right place (stream4).
> > Thanks in advance
> > Dennis George
> > Do you Yahoo!?
> > Yahoo! Photos: High-quality 4x6 digital prints for 25¢
> Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
> Sourcefire: Intelligent Security Monitoring
> roesch at ...402... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
> Do you Yahoo!?
> Yahoo! Photos: High-quality 4x6 digital prints for 25¢
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-devel