[Snort-users] telnet session reassembly with stream4

Ned gned at ...12288...
Mon Oct 4 16:56:18 EDT 2004


Hi everyone,

I'm trying to use stream4 to reassemble a telnet session into one 
uberpacket, and to then perform some statistical analysis on the data. I 
have written a preprocessor that passes all reassembled packets to a 
function that does this analysis, and doesn't do anything with the rest of 
the packets.

I'm using the condition (p->packet_flags & PKT_REBUILT_STREAM) to decide 
whether to call the analysis function or not. The problem I'm having is 
that when I run snort on telnet captures the condition above never 
evaluates to true. For the other 10 protocols I'm analysing, I haven't had 
this problem.

Does anybody know what could be causing this?


cheers,

Ned






More information about the Snort-users mailing list