[Snort-devel] Re: [Snort-users] Content across multiple packets Not detected by Snort

Ueli Kistler u.kistler at ...2510...
Wed Apr 28 07:05:04 EDT 2004


... you got it completly wrong. The Snort preprocessor you're talking 
about, is reassembling *fragmented* packets.
.... and this absolutely not the same as your "splitted packets"

Usual case..:
Fragmented packets are part of the same original packet at the source, 
splitted up by the OS for transport if it has a certain size and 
reassembled by the OS
at the target to the complete original packet again. If you transfer a 
text "hello world" with tcp, but you send "hello" in the first packet 
and "world" in the second there's nothing to reassemble, because you 
"hello" and "world" are 2 different packets)

So there's also nothing to debug ... because there's no bug ;)
Anyone on this list (among others) does already know that not only the 
OS can send a fragmented packet i think? :p

Regards,
    Ueli Kistler
    u.kistler at ...2510...
    www.engagesecurity.com

--

Dennis George wrote:

> Hi all,
>  
> *Intro :*
> I am working with snort from the last 3 weeks. I am using Snort 2.1.0 
> for content monitoring.
>  
> *Problem :*
> My problem is that if the content I am monitoring is splitted across 
> two packets then Snort is not detecting it.
>  
> *Home Work:*
> In my configuration file I have enabled stream4 and stream4_reassemble.
>  
> /my snort.conf file/
> preprocessor stream4: detect_scans, disable_evasion_alerts, 
> log_flushed_streams
>  
> preprocessor stream4_reassemble
> preprocessor stream4_reassemble : clientonly, ports 25 80 3131
>  
> /my rule file/
> alert tcp any any -> any any (content: "Hello World"; msg: "Got the 
> message"; nocase;)
>  
> But still it is not detecting my content "Hello World" if it is 
> splitted in two packets.
>  
> Earlier I thought Stream4 is not working so I debugged it.... But 
> stream4 is working fine... It is enabled and it is forming the Session 
> tree (splay tree). But in the Detection engine only packets are sent 
> not the Session tree or the assembled packet......
>  
> *Request ::*
> So you people please guide me where am I going wrong. Am I looking in 
> the right place (stream4).
>  
> Thanks in advance
> Dennis George
>  
>
> ------------------------------------------------------------------------
> Do you Yahoo!?
> Yahoo! Photos: High-quality 4x6 digital prints for 25¢ 
> <http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=23765/*http://photos.yahoo.c%0Aom/ph/print_splash> 








More information about the Snort-devel mailing list