[Snort-users] stream4 reassembly seems to lose last packet

Daniel OKeefe dokeefe_nh at ...131...
Thu Apr 24 18:06:04 EDT 2003


Hi

I am using snort to trap a full message (composed of
multiple tcp packets) tcp stream re-assembled, based
on a portion of the content of the message. To do
this, I am using the stream4 pre-processing.


Basically, I want to alert only on the full stream,
AFTER it has been fully assembled and dump it to a
log.

It almost works fine, except for one problem - all the
packets except the last one get logged. The last
packet ends up getting jammed into the beginning of
the next logged message. Its almost as if when the
message is logged, it forgets to write out the last
packet and so that packet remains in memory for the
next logged message.

My config file has the settings:
===========================================
config stateful
config quiet
config dump_payload
preprocessor stream4
preprocessor stream4_reassemble: both ports "all"
noalerts

My rule uses the options:
====================================
flow:established,only_stream; content: "|3C3F786D6C|";


Average reassembled message size to be logged is about
10k.

Anyone got any ideas? I've tried all sorts of
configuration settings but this behavior seems to be
pretty consistent. I hope I'm doing something daft.

Thanks for any help.
Dan O'Keefe


__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com




More information about the Snort-users mailing list