[Snort-users] stream4 - simple experiment

Matt Kettler mkettler at ...4108...
Thu Jun 19 11:30:21 EDT 2003

At 10:26 AM 6/19/2003 -0400, CHARLES ASMUTH wrote:

>What do I need to do to get alerts for the client stream transmissions of 
>the string "xyz"?

Stream4 flushes the buffer every time the "flow" of data switches.. In your 
case it never catches the individual byte-by-byte echo back, because it's 
separated by traffic from the client. This is done to prevent stream4 from 
having to buffer and *entire* tcp session.. that could very quickly grow to 
several gigs of data as a single "uber packet" in the case of a file download.

The point is to re-assemble fragments of the same fundamental "data chunk" 
sent all at the same time to a server such as a mailserver, and flush 
whenever the mailserver responds.

If however the server were to send 3 packets "x" "y" "z" without a client 
data packet in between, the rule should fire. I'd suggest trying writing a 
shell script that does something like:

echo x
sleep 1
echo y
sleep 1
echo z

log in and execute that and see what happens.

