Snort mailing list archives

Re: snort tcp session reassembly

From: Erek Adams <erek () snort org>
Date: Tue, 4 Mar 2003 11:48:51 -0500 (EST)

On Tue, 4 Mar 2003, gupta_sonali wrote:

I am using snort 1.8.7 to log packets from a TCP dump. In the conf file
I specify the following rule : log tcp any any &lt;&gt; any any
(session: binary;). This is placing all packets with the same source and
destination port combination into a single file, but the packets are in
the order in which they were captured, which is not the actual sequence
of packets.


Right.

 Is there any way to make snort arrange the packets in proper sequence
 based on their TCP sequence nos. as "Follow TCP Stream" in Ethereal
 does, so that the packets are oibtained in the proper order in which
 they should be, not in the order in which they arrived.

P.S. I tried stream4 preprocessor, but that did not work for this


Stream4 won't work for a replayed tcpdump file.  For that to really work,
you would be better off to use tcpreplay [0] and then snort the streams.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     http://tcpreplay.sourceforge.net/


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort tcp session reassembly gupta_sonali (Mar 04)
- Re: snort tcp session reassembly Erek Adams (Mar 04)