[Snort-devel] how to store content of reassembled packets?

Will Metcalf william.metcalf at ...2499...
Thu Jun 28 14:28:55 EDT 2007


I don't think this is something you want to do in snort. Reassembly is
expensive, and because snort is essentially single threaded while you
are doing this, snort is not processing packets.  Why not use
something like sguil and log_packets.sh to extract the full-content of
a tcp session related to an alert.  I don't know if it will help or
not but I hacked together a crappy perl script to parse ring-buffer
captures and extract data related to an attacker...

http://snort-inline.sourceforge.net/parsep-extend-range.pl

Regards,

Will



On 6/28/07, Jerry Zhang <jerry3558 at ...2499...> wrote:
>  Hi,
>  I want to do this using Snort:
>  1. check certain signatures against the packets.
>  2. if the content of the packet matchs the signature, we will reassemble
> the packets (one direction, say, from client or server) in this flow
> (server_ip, server_port, client_ip, client_port) to one stream.
>  3. And then store the content of this stream to a file.
>
>  I want to utilize the spp_stream4 code in snort, which deal with
> reassembling. The scenario in my mind like this:
>
>  1. write the signature with tag "only_stream".
>  2. write an output-plugin. once the alert for this signature is triggered,
>  the output-plugin will use the pointer "Packet *p" to find the related
> stream and fprint to some file.
>
>  I am not sure whether it is doable. And questions in my mind:
>
>  1. How can I using Packet *p to find the structure to store the reassembled
> content. Is it: p->streamptr->seglist->(payload,
> payload_size). ?
>  2. How can I decide the direction (from server or client) from this
> structure?
>  3. When snort releases the structure for the reassembled packets?
> Before the output-plugin or after the output-plugin? If it releases the
> sturcture before ouput-plugin, the scenario will not work.
>
>  I am new for snort dev, so thanks for your help in advance.
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>




More information about the Snort-devel mailing list