[Snort-users] preproccesor stream

Christopher E. Cramer chris.cramer at ...799...
Thu Jan 18 22:59:06 EST 2001


Vitaly,  in this case you are right :)

The stream reassembler takes TCP packets and puts them in the correct
order.  Periodically we take the reconstructed data and inject a fake
packet back into the snort detection system.  This is useful in two
cases: 1) you are trying to monitor telnet or another protocol in which
legitimate data is split into many small packets, and 2) you are under
attack by someone trying to hide their activity by breaking attack
signatures across multiple packets - your machine would reassemble them,
your NIDS better do so as well.

The reassembler seems to work well in the situation where you have no
packet loss, however, it doesn't work so well with packet loss.  My next
release of the preprocessor should be more robust when you don't have all
the packets available to you.  

For a good reason to you both the defrag and stream preprocessors, check
out fragrouter.

Regards,
Chris

On Thu, 18 Jan 2001, Vitaly McLain wrote:

> I may be wrong (happens alot), but this could be the TCP stream assembler,
> which does what you said. It can help Snort detect attacks designed to evade
> IDS, like session splicing.
> 
> Vitaly McLain
> twistah at ...93...
> twistah @ OPN & EfNet
> "If you don't turn on to politics, politics will turn on you."
>        - Ralph Nader
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> 





More information about the Snort-users mailing list