[Snort-devel] Is there a snort/libnids alternative
seth at ...1275...
Wed Oct 17 01:02:04 EDT 2012
On Oct 15, 2012, at 1:09 PM, Chris Green <greencm at ...2499...> wrote:
> The main thing missing in libnids is continued reassembly of tcp-flows
> even though there are SPAN packet drops.
> You need to look at Bro scripts
Since it was mentioned… Yep, Bro already supports this. If you run it from the command line you can make it extract all sessions by default like this:
bro -r ~/some-packet.pcap Conn::default_extract=T
A bunch of files beginning with contents_* will be generated (2 per connection). If there is a content gap, Bro will just continue right past it and there will be no indicator of the gap in the files being output. If you need an indicator of the gap or something like a null byte to represent each missed byte, I could write a script to do that too.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Snort-devel