[Snort-devel] New entry in Signature table for tagged packets

Dirk Geschke Dirk_Geschke at ...802...
Fri Nov 26 01:10:23 EST 2004


Hi Frank,

> On Thu, 2004-11-25 at 16:00, Frank Knobbe wrote:
> > it looks like Snort creates a new entry for "Tagged Packet" in the
> > signature table on every tagged packet. It enters the same name, class,
> > priority, rev and sid each time.
> 
> As a follow-up, it appears that the "parent" signature that caused the
> gag is also entered multiple times.

I don't think so. I guess you see them twice, one for the alert
chain and one for the log chain. Tagged packets are only reported
to the log facility not the alert facility.

And yes, there is a problem with tagged packets. Within FLoP
(http://www.geschke-online.de/FLoP/) we have extended the database
scheme to add the event_reference to the database. Additionally
we added the pcap header to the database and are able to recreate
the whole stream as a pcap file based on the event refernce.

But the problem is, that the event reference points to the event
id of the alerting packet. This is simply a counter increased for
each alert/log packet. So if you restart snort it starts again
with zero. It is possible to get a mix-up of streams in the pcap
file.

One better solution would be to pre-set event_id on startup (maybe
time of the epoch minus a fixed date and you will hopefully get less
than one alert per second in the mean). This would create unique id's
and one is able to fetch all packets of a tagged session.

(Actually I did not find the location where event_id is set. I
suspect that it is never set but only the memory for the structure
is allocated which contains on startup zeros...)

To store a tagged packet with the signature of the first alerting
packet is not a good idea. You have to point out that it is a tagged
packet. Otherwise you will suspect that the detection engines is
faulty due to tagged packets missing the alerting data.

Best regards

Dirk






More information about the Snort-devel mailing list