[Snort-users] Snort and buffering of packets

Joel Esler jesler at ...1935...
Thu Jan 24 09:05:25 EST 2013


If you wanted to just store the JPEG file, I'd probably advise something like the 'tag' keyword (you can find it in the manual as well).  Trigger on the JPEG's file magic as it's downloaded and tag the rest of the session.  

Then you can reconstruct the jpeg from the packet capture.


--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Jan 24, 2013, at 7:40 AM, Knut Borg <knutborg at ...11827...> wrote:

> Thanks for your reply.
> 
> My initial thought was to create a rule which detected a JPEG header and reported a detection to a Unix socket (http://manual.snort.org/node7.html) by using  "-A unsock". I would then write a program that listened to Snort. When Snort sent an alert for detecting the JPEG header, my program would find the JPEG file/TCP session Snort stored/delayed in RAM. 
> 
> As far as I understand flowbits, flowbits can be used in conjuction with the Stream5 preprocessor (http://manual.snort.org/node66.html#stream5_section). I'm wondering if this solution will only store a copy of the JPEG file and not delay the original TCP session? 
> 
> 
> Thanks in advance 
> Knut
> 
> 
> 
> On Sat, Jan 19, 2013 at 5:44 PM, Joel Esler <jesler at ...1935...> wrote:
> Dear Knut,
> 
> Thanks for your email.  I believe you will find what you are looking for here: http://manual.snort.org/node470.html
> 
> Use a flowbit to set a flowbit on the JPEG header, then check that flowbit in a separate rule.
> 
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
> 
> On Jan 18, 2013, at 7:58 AM, Knut Borg <knutborg at ...11827...> wrote:
> 
>> Hey, I have a question about buffering of packets.
>> 
>> What I want to do is that I want Snort to check for JPEG files in the network stream, which is easy because I ask Snort to look for the JPEG header. Then after Snort have detected a JPEG-file, I want Snort to store the JPEG file in a buffer (i.e. not write it to disk, only store it in RAM). Then I'm going to check the JPEG-file for bit patterns while Snort still have the file stored in memory. If I can't find my own watermarks Snort will send the packet as normal, if not I want Snort to drop the packet. The reason why I don't want to store the JPEG file to a hard drive is for efficiency purposes. 
>> 
>> I'm currently experimenting with the idea and I'm wondering if it is possible to pull off? I heard something about Snort being able to quarantine packets, but I'm not sure if I would be able to access those packets if they are quarantined.
>> 
>> 
>> 
>> Thanks in advance
>> Knut
>> 
>> ------------------------------------------------------------------------------
>> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
>> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
>> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
>> MVPs and experts. SALE $99.99 this month only -- learn more at:
>> http://p.sf.net/sfu/learnmore_122912_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130124/9c201443/attachment.html>


More information about the Snort-users mailing list