[Snort-users] stream4 - simple experiment
mkettler at ...4108...
Thu Jun 19 11:30:21 EDT 2003
At 10:26 AM 6/19/2003 -0400, CHARLES ASMUTH wrote:
>What do I need to do to get alerts for the client stream transmissions of
>the string "xyz"?
Stream4 flushes the buffer every time the "flow" of data switches.. In your
case it never catches the individual byte-by-byte echo back, because it's
separated by traffic from the client. This is done to prevent stream4 from
having to buffer and *entire* tcp session.. that could very quickly grow to
several gigs of data as a single "uber packet" in the case of a file download.
The point is to re-assemble fragments of the same fundamental "data chunk"
sent all at the same time to a server such as a mailserver, and flush
whenever the mailserver responds.
If however the server were to send 3 packets "x" "y" "z" without a client
data packet in between, the rule should fire. I'd suggest trying writing a
shell script that does something like:
log in and execute that and see what happens.
More information about the Snort-users