[Snort-users] stream4: logging characteristics

Brian A Kee bkee at ...262...
Fri Nov 14 18:15:13 EST 2003


Regarding the stream4 preprocessor:

First:
My understanding is that the stream4 preprocessor configured with the 
log_flushed_streams option should, on a positive signature detect, log the 
entire stream or "uber" packet when logging to tcpdump output.

preprocessor stream4: log_flushed_streams


Combining this with the strem4_reasemble options of client_only, server_only, 
or both should result in entire stream packet dump of the client side, server 
side, or both sides of the tcp stream, respectively.

preprocessor stream4_reassemble: both


Is this a correct interpretation of these options?


Second:
The stream4 preprocessor is supposed to combine all of the packets from a tcp 
stream into a single session "uber" packet. This being the case would it not 
be possible to write a rule such as"

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
	(msg:"POSITIVE -- WEB-IIS cmd.exe access"; \
	flow:established,only_stream; content:"cmd.exe"; nocase; \
	content: "200 OK"; nocase; )

that would match "cmd.exe" and "200 OK" only in the same session?



-- 
Thank You, 

Brian A. Kee






More information about the Snort-users mailing list