[Snort-users] newbie question on Stream4 preprocessing - missing last packet

Dan O'Keefe dokeefe at ...4371...
Mon Apr 28 07:48:37 EDT 2003


I am a new user of Snort, and was very interested in using it because of the tcp stream reassembly capabilities. Right now, 
I am using snort to trap a full message (composed of multiple tcp packets with the tcp stream re-assembled) based on a portion of the content of the message. To do this, I am using the stream4 pre-processing.

Basically, I want to alert only on the full, re-assembled stream ( applying rules only AFTER it has been fully assembled) and dump it to a log.

It almost works fine, except for one problem - all the packets except the last one get logged. The last packet ends up getting jammed into the beginning of the next logged message. Its almost as if when the message is logged, it forgets to write out the last packet and so that packet remains in memory for the next logged message.

My config file has the settings:
config stateful
config quiet
config dump_payload
preprocessor stream4
preprocessor stream4_reassemble: both ports "all"

My rule uses the options:
flow:established,only_stream; content: "|3C3F786D6C|";

Average reassembled message size to be logged is about 10k.

Anyone got any ideas? I've tried all sorts of configuration settings but this behavior seems to be pretty consistent. I hope I'm doing something daft.

Thanks for any help.
Dan O'Keefe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030428/16e8c284/attachment.html>

More information about the Snort-users mailing list