[Snort-devel] Is there a snort/libnids alternative

Seth Hall seth at ...1275...
Wed Oct 17 01:02:04 EDT 2012


On Oct 15, 2012, at 1:09 PM, Chris Green <greencm at ...2499...> wrote:

> The main thing missing in libnids is continued reassembly of tcp-flows
> even though there are SPAN packet drops.
> 
> You need to look at Bro scripts

Since it was mentioned… Yep, Bro already supports this.  If you run it from the command line you can make it extract all sessions by default like this:

bro -r ~/some-packet.pcap Conn::default_extract=T

A bunch of files beginning with contents_* will be generated (2 per connection).  If there is a content gap, Bro will just continue right past it and there will be no indicator of the gap in the files being output.  If you need an indicator of the gap or something like a null byte to represent each missed byte, I could write a script to do that too.

.Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/





More information about the Snort-devel mailing list