[Snort-devel] how to store content of reassembled packets?

Matthew Watchinski mwatchinski at ...402...
Thu Jun 28 10:36:10 EDT 2007


Have you run into some limitation of the "tag" and "session" keywords in
the rule language for accomplishing this?

Jerry Zhang wrote:
> Hi,
> I want to do this using Snort:
> 1. check certain signatures against the packets.
> 2. if the content of the packet matchs the signature, we will reassemble
> the
> packets (one direction, say, from client or server) in this flow
> (server_ip,
> server_port, client_ip, client_port) to one stream.
> 3. And then store the content of this stream to a file.
> 
> I want to utilize the spp_stream4 code in snort, which deal with
> reassembling. The scenario in my mind like this:
> 
> 1. write the signature with tag "only_stream".
> 2. write an output-plugin. once the alert for this signature is triggered,
> the output-plugin will use the pointer "Packet *p" to find the related
> stream and fprint to some file.
> 
> I am not sure whether it is doable. And questions in my mind:
> 
> 1. How can I using Packet *p to find the structure to store the reassembled
> content. Is it: p->streamptr->seglist->(payload, payload_size). ?
> 2. How can I decide the direction (from server or client) from this
> structure?
> 3. When snort releases the structure for the reassembled packets?
> Before the output-plugin or after the output-plugin? If it releases the
> sturcture before ouput-plugin, the scenario will not work.
> 
> I am new for snort dev, so thanks for your help in advance.
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel





More information about the Snort-devel mailing list