[Snort-sigs] [Snort-users] byte_jump + Stream5, should it work?

rmkml rmkml at ...174...
Tue Dec 27 10:42:06 EST 2011


Hi Shaiming,
It's work with your two case on default snort.conf (tested on snort v2.9.2), simply adding "-k none" on snort cmd line... (or in snort.conf)
Can you check please?
Happy Holidays.
Regards
Rmkml



On Tue, 27 Dec 2011, Shaiming Hsiung wrote:

> Many thanks for your answers.
>
> Here is my snort.conf file. The aim here is to detect application-level
> packets of the form:
>
>    start<offset>XX...XXXtest
>
> where <offset> are four bytes encoding the number of Xs
> we should skip to find the string "test". (The representation
> is big endian).
>
> -------- snort.conf
>
> preprocessor stream5_global: track_tcp yes track_udp yes
> preprocessor stream5_tcp: timeout 86400, protocol all, ports all
> preprocessor stream5_udp: timeout 86400
>
> config paf_max: 16000
>
> alert tcp any any -> any any (sid:1000000; msg:"test package detected";\
> content:"start";\
> byte_jump:4,0,relative;\
> content:"test";within:4;)
>
> --------
>
> The following Python file generates valid traffic given
> the number of Xs to insert:
>
> -------- snorttest.py
>
> import sys
> import struct
> no = int(sys.argv[1])
> sys.stdout.write('start' + struct.pack('>I',no) + no*'X' + 'test')
>
> --------
>
> The problem is that Snort is not detecting packages when
> the number of Xs is big (e.g. 10000). In that case the
> application-level data is segmented in multiple TCP packets.
>
> For instance, in this case, Snort detects the package:
>
> $ python snorttest.py 10 | nc target 1234
>
> While in this case it doesn't:
>
> $ python snorttest.py 10000 | nc target 1234
>
> I attach the files snorttest10.pcap and snorttest10000.pcap
> corresponding to each of these cases.
>
> Thanks in advance for your help,
>
> --
> Shaiming Hsiung
>




More information about the Snort-sigs mailing list