Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is there a snort/libnids alternative

From: Seth Hall <seth () icir org>
Date: Wed, 17 Oct 2012 00:45:13 -0400

On Oct 15, 2012, at 1:09 PM, Chris Green <greencm () gmail com> wrote:


The main thing missing in libnids is continued reassembly of tcp-flows
even though there are SPAN packet drops.

You need to look at Bro scripts


Since it was mentioned… Yep, Bro already supports this.  If you run it from the command line you can make it extract 
all sessions by default like this:

bro -r ~/some-packet.pcap Conn::default_extract=T

A bunch of files beginning with contents_* will be generated (2 per connection).  If there is a content gap, Bro will 
just continue right past it and there will be no indicator of the gap in the files being output.  If you need an 
indicator of the gap or something like a null byte to represent each missed byte, I could write a script to do that too.

.Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: