[Snort-users] Snort and buffering of packets

Knut Borg knutborg at ...11827...
Fri Jan 18 07:58:00 EST 2013


Hey, I have a question about buffering of packets.

What I want to do is that I want Snort to check for JPEG files in the
network stream, which is easy because I ask Snort to look for the JPEG
header. Then after Snort have detected a JPEG-file, I want Snort to store
the JPEG file in a buffer (i.e. not write it to disk, only store it in
RAM). Then I'm going to check the JPEG-file for bit patterns while Snort
still have the file stored in memory. If I can't find my own watermarks
Snort will send the packet as normal, if not I want Snort to drop the
packet. The reason why I don't want to store the JPEG file to a hard drive
is for efficiency purposes.

I'm currently experimenting with the idea and I'm wondering if it is
possible to pull off? I heard something about Snort being able to
quarantine packets, but I'm not sure if I would be able to access those
packets if they are quarantined.



Thanks in advance
Knut
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130118/ec2ca2ca/attachment.html>


More information about the Snort-users mailing list