Snort mailing list archives
Re: byte_jump + Stream5, should it work?
From: Shaiming Hsiung <shaiming.hsiung () gmail com>
Date: Tue, 27 Dec 2011 11:38:58 -0300
Many thanks for your answers. Here is my snort.conf file. The aim here is to detect application-level packets of the form: start<offset>XX...XXXtest where <offset> are four bytes encoding the number of Xs we should skip to find the string "test". (The representation is big endian). -------- snort.conf preprocessor stream5_global: track_tcp yes track_udp yes preprocessor stream5_tcp: timeout 86400, protocol all, ports all preprocessor stream5_udp: timeout 86400 config paf_max: 16000 alert tcp any any -> any any (sid:1000000; msg:"test package detected";\ content:"start";\ byte_jump:4,0,relative;\ content:"test";within:4;) -------- The following Python file generates valid traffic given the number of Xs to insert: -------- snorttest.py import sys import struct no = int(sys.argv[1]) sys.stdout.write('start' + struct.pack('>I',no) + no*'X' + 'test') -------- The problem is that Snort is not detecting packages when the number of Xs is big (e.g. 10000). In that case the application-level data is segmented in multiple TCP packets. For instance, in this case, Snort detects the package: $ python snorttest.py 10 | nc target 1234 While in this case it doesn't: $ python snorttest.py 10000 | nc target 1234 I attach the files snorttest10.pcap and snorttest10000.pcap corresponding to each of these cases. Thanks in advance for your help, -- Shaiming Hsiung
Attachment:
snorttest10.pcap
Description:
Attachment:
snorttest10000.pcap
Description:
------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- byte_jump + Stream5, should it work? Shaiming Hsiung (Dec 24)
- Re: byte_jump + Stream5, should it work? rmkml (Dec 24)
- Re: byte_jump + Stream5, should it work? Joel Esler (Dec 24)
- Re: byte_jump + Stream5, should it work? Shaiming Hsiung (Dec 27)
- Re: byte_jump + Stream5, should it work? rmkml (Dec 27)
- Re: [Snort-users] byte_jump + Stream5, should it work? rmkml (Dec 27)
- Re: byte_jump + Stream5, should it work? Shaiming Hsiung (Dec 27)