[Snort-devel] how to store content of reassembled packets?

Jerry Zhang jerry3558 at ...2499...
Thu Jun 28 10:22:50 EDT 2007


 Hi,
I want to do this using Snort:
1. check certain signatures against the packets.
2. if the content of the packet matchs the signature, we will reassemble the
packets (one direction, say, from client or server) in this flow (server_ip,
server_port, client_ip, client_port) to one stream.
3. And then store the content of this stream to a file.

I want to utilize the spp_stream4 code in snort, which deal with
reassembling. The scenario in my mind like this:

1. write the signature with tag "only_stream".
2. write an output-plugin. once the alert for this signature is triggered,
the output-plugin will use the pointer "Packet *p" to find the related
stream and fprint to some file.

I am not sure whether it is doable. And questions in my mind:

1. How can I using Packet *p to find the structure to store the reassembled
content. Is it: p->streamptr->seglist->(payload, payload_size). ?
2. How can I decide the direction (from server or client) from this
structure?
3. When snort releases the structure for the reassembled packets?
Before the output-plugin or after the output-plugin? If it releases the
sturcture before ouput-plugin, the scenario will not work.

I am new for snort dev, so thanks for your help in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20070628/65c7cf3a/attachment.html>


More information about the Snort-devel mailing list