[Snort-sigs] [Snort-users] byte_jump + Stream5, should it work?
rmkml at ...174...
Tue Dec 27 10:42:06 EST 2011
It's work with your two case on default snort.conf (tested on snort v2.9.2), simply adding "-k none" on snort cmd line... (or in snort.conf)
Can you check please?
On Tue, 27 Dec 2011, Shaiming Hsiung wrote:
> Many thanks for your answers.
> Here is my snort.conf file. The aim here is to detect application-level
> packets of the form:
> where <offset> are four bytes encoding the number of Xs
> we should skip to find the string "test". (The representation
> is big endian).
> -------- snort.conf
> preprocessor stream5_global: track_tcp yes track_udp yes
> preprocessor stream5_tcp: timeout 86400, protocol all, ports all
> preprocessor stream5_udp: timeout 86400
> config paf_max: 16000
> alert tcp any any -> any any (sid:1000000; msg:"test package detected";\
> The following Python file generates valid traffic given
> the number of Xs to insert:
> -------- snorttest.py
> import sys
> import struct
> no = int(sys.argv)
> sys.stdout.write('start' + struct.pack('>I',no) + no*'X' + 'test')
> The problem is that Snort is not detecting packages when
> the number of Xs is big (e.g. 10000). In that case the
> application-level data is segmented in multiple TCP packets.
> For instance, in this case, Snort detects the package:
> $ python snorttest.py 10 | nc target 1234
> While in this case it doesn't:
> $ python snorttest.py 10000 | nc target 1234
> I attach the files snorttest10.pcap and snorttest10000.pcap
> corresponding to each of these cases.
> Thanks in advance for your help,
> Shaiming Hsiung
More information about the Snort-sigs