[Snort-users] Snort and buffering of packets

Joel Esler jesler at ...1935...
Sat Jan 19 11:44:57 EST 2013

Dear Knut,

Thanks for your email.  I believe you will find what you are looking for here: http://manual.snort.org/node470.html

Use a flowbit to set a flowbit on the JPEG header, then check that flowbit in a separate rule.

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

On Jan 18, 2013, at 7:58 AM, Knut Borg <knutborg at ...11827...> wrote:

> Hey, I have a question about buffering of packets.
> What I want to do is that I want Snort to check for JPEG files in the network stream, which is easy because I ask Snort to look for the JPEG header. Then after Snort have detected a JPEG-file, I want Snort to store the JPEG file in a buffer (i.e. not write it to disk, only store it in RAM). Then I'm going to check the JPEG-file for bit patterns while Snort still have the file stored in memory. If I can't find my own watermarks Snort will send the packet as normal, if not I want Snort to drop the packet. The reason why I don't want to store the JPEG file to a hard drive is for efficiency purposes. 
> I'm currently experimenting with the idea and I'm wondering if it is possible to pull off? I heard something about Snort being able to quarantine packets, but I'm not sure if I would be able to access those packets if they are quarantined.
> Thanks in advance
> Knut
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. SALE $99.99 this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122912_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130119/05f3414b/attachment.html>

More information about the Snort-users mailing list