[Snort-devel] problem with stream reassembly

Milani Paolo Paolo.Milani at ...866...
Fri Jul 16 03:15:15 EDT 2004


if I understand what you are saying, your problem is that a string that
happens across a packet boundary does not get detected. I think this is normal
behaviour, since stream reassembly flushes the buffer of stream packets every so often
to produce a reassmbled packet that is then reinjected into the detection engine.
So there are packet boundaries across which strings do not get detected, but the
idea is that since the attacker should not be able to predict which packet boundaries
will be missed (because of pseudo-random behaviour) he cannot reliably evade detection.

my 2 cents,
Paolo Milani

Date: Thu, 15 Jul 2004 20:08:09 +0300 (EEST)
From: antonat <antonat at ...1996...>
To: snort-devel at lists.sourceforge.net
cc: Antonatos Spiros <antonat at ...1999...>
Subject: [Snort-devel] problem with stream reassembly

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime at ...20... for more info.

Content-ID: <Pine.GSO.4.58.0407152005302.3263 at ...1997...>

I have a tcpdump trace containing packets from a "wget" I did on o local
web server. The page I asked is around 4k. When I perform tcp reassembly
(on both sides) using stream4 I get a reassembled packet but does not
contain the whole page ( a packet is missing from the reassembly , I can
detect a string that is located half in the 1st and half in the 2nd packet
of the page but not a string between 2nd and 3rd packet). I am using Snort
2.2.0RC1. The configuration file (containing the string I cannot detect)
as well as the trace are attached.

thanks in advance,
Antonatos Spiros

Gruppo Telecom Italia - Direzione e coordinamento di Telecom Italia S.p.A.

This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please send an e_mail to
MailAdmin at ...2137... Thank you

More information about the Snort-devel mailing list