[Snort-users] byte_jump + Stream5, should it work?

Shaiming Hsiung shaiming.hsiung at ...11827...
Tue Dec 27 09:38:58 EST 2011

Many thanks for your answers.

Here is my snort.conf file. The aim here is to detect application-level
packets of the form:


where <offset> are four bytes encoding the number of Xs
we should skip to find the string "test". (The representation
is big endian).

-------- snort.conf

preprocessor stream5_global: track_tcp yes track_udp yes
preprocessor stream5_tcp: timeout 86400, protocol all, ports all
preprocessor stream5_udp: timeout 86400

config paf_max: 16000

alert tcp any any -> any any (sid:1000000; msg:"test package detected";\


The following Python file generates valid traffic given
the number of Xs to insert:

-------- snorttest.py

import sys
import struct
no = int(sys.argv[1])
sys.stdout.write('start' + struct.pack('>I',no) + no*'X' + 'test')


The problem is that Snort is not detecting packages when
the number of Xs is big (e.g. 10000). In that case the
application-level data is segmented in multiple TCP packets.

For instance, in this case, Snort detects the package:

$ python snorttest.py 10 | nc target 1234

While in this case it doesn't:

$ python snorttest.py 10000 | nc target 1234

I attach the files snorttest10.pcap and snorttest10000.pcap
corresponding to each of these cases.

Thanks in advance for your help,

Shaiming Hsiung
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snorttest10.pcap
Type: application/cap
Size: 719 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111227/ea3ce970/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snorttest10000.pcap
Type: application/cap
Size: 11693 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111227/ea3ce970/attachment-0001.bin>

More information about the Snort-users mailing list