Snort mailing list archives

Re: snort session reassembly problem

From: Sven Fichtner <fichtner () bsnet de>
Date: Mon, 10 Mar 2003 14:39:00 +0100

On Fri, 7 Mar 2003 12:13:31 -0500 (EST)
Erek Adams <erek () snort org> wrote:

On Fri, 7 Mar 2003, gupta_sonali wrote:

I am using snort to do multiple keyword search on a tcpdump file.
The output I need is all the sessions containing those keywords.
Thecomplete session should be stored in case the keyword is found. I
specified session: binary in the conf file, and also tried enabling
the stream4 preprocessor.  However, I am facing two problems.

Simply, Snort can't do that.
You'll need to use something like ethereal's 'follow stream' feature.
Stream4 needs to read packets off of the wire to function correctly. 
It can't do that from a pcap file.


Sounds like it would be useful to take tcpreplay which is a "tool to
replay saved tcpdump files at arbitrary speeds".

Sven Fichtner
-- 
B&S Network Communication Services GmbH
Kniestr. 27
30167 Hannover
Fon:        0511-97170.0
Fax:       0511-97170.35
eMail: fichtner () bsnet de
http:       www.bsnet.de
----------------------------------------------------------------------
Besuchen Sie uns auf der CeBIT 2003: Halle 17 Stand G11
Intrusion Detection Systeme und Sicherheitskonzepte

Attachment: _bin
Description:

Current thread:

snort session reassembly problem gupta_sonali (Mar 07)
- Re: snort session reassembly problem Erek Adams (Mar 07)
  - Re: snort session reassembly problem Edin Dizdarevic (Mar 07)
    - Re: snort session reassembly problem Erek Adams (Mar 07)
    - Re: snort session reassembly problem Erek Adams (Mar 12)
  - Re: snort session reassembly problem Sven Fichtner (Mar 10)
    - Re: snort session reassembly problem Erek Adams (Mar 10)