[Snort-users] asynchronous_link was snort sees no fragmented attack

Holger.Woehle at ...2701... Holger.Woehle at ...2701...
Tue Aug 13 05:53:03 EDT 2002


>Holger.Woehle at ...2701... writes:
>...i switched on the asynchronous_link but it doesn't change anything.
>I noticed that i cannot use the "flow" option even with asynchronous link...
>Snort 1.9 does not recognize the alarms declared with
"flow:to_server,established" .

>Chris Green <cmg at ...1935...> writes:
>Well, in 1.9 w/ a 1.9 ruleset, you should turn on
>
>preprocessor stream4: asynchronous_link
>
>you are running into the state machines actually caring about the
>state of a TCP session which it can't ascertain w/o haivng both sides
>of the conversation.
>
>This is not related to fragmentation.
>--
>Chris Green <cmg at ...1935...>
>A good pun is its own reword.

>Holger.Woehle at ...2701... writes:
> echo "GET /aaaaaaa/aaa/aaaaa/aaaaaaaa/aaaaaaa/bcc/bin/ps" | nc
>
>The Sensor listens behind a Shomiti Ethernet TAP.
>May this be the problem ?  The Sensor only catches the
> "incoming" traffic. I do not want the answers from the machines.  Am
> i wrong with that ? Does snort neeed the outgoing traffic for defrag
> ?
>

i switched to snort 1.9 beta 2 and connected the sensor to both ends of the TAP
using device bond0.
Now i see all alerts!

But i don't want to inspect all outgoing traffic!

Do i need to abjust something according to use preprozessor
stream4:asynchronous_link ?
Do i need to configure preprozessor stream4_reassembly: client_only or something
else ?

cu
Holger










More information about the Snort-users mailing list