[Snort-users] stream4: logging characteristics
Brian A Kee
bkee at ...262...
Fri Nov 14 18:15:13 EST 2003
Regarding the stream4 preprocessor:
My understanding is that the stream4 preprocessor configured with the
log_flushed_streams option should, on a positive signature detect, log the
entire stream or "uber" packet when logging to tcpdump output.
preprocessor stream4: log_flushed_streams
Combining this with the strem4_reasemble options of client_only, server_only,
or both should result in entire stream packet dump of the client side, server
side, or both sides of the tcp stream, respectively.
preprocessor stream4_reassemble: both
Is this a correct interpretation of these options?
The stream4 preprocessor is supposed to combine all of the packets from a tcp
stream into a single session "uber" packet. This being the case would it not
be possible to write a rule such as"
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
(msg:"POSITIVE -- WEB-IIS cmd.exe access"; \
flow:established,only_stream; content:"cmd.exe"; nocase; \
content: "200 OK"; nocase; )
that would match "cmd.exe" and "200 OK" only in the same session?
Brian A. Kee
More information about the Snort-users