Snort mailing list archives
Re: Snort and buffering of packets
From: Joel Esler <jesler () sourcefire com>
Date: Sat, 19 Jan 2013 11:44:57 -0500
Dear Knut, Thanks for your email. I believe you will find what you are looking for here: http://manual.snort.org/node470.html Use a flowbit to set a flowbit on the JPEG header, then check that flowbit in a separate rule. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Jan 18, 2013, at 7:58 AM, Knut Borg <knutborg () gmail com> wrote:
Hey, I have a question about buffering of packets. What I want to do is that I want Snort to check for JPEG files in the network stream, which is easy because I ask Snort to look for the JPEG header. Then after Snort have detected a JPEG-file, I want Snort to store the JPEG file in a buffer (i.e. not write it to disk, only store it in RAM). Then I'm going to check the JPEG-file for bit patterns while Snort still have the file stored in memory. If I can't find my own watermarks Snort will send the packet as normal, if not I want Snort to drop the packet. The reason why I don't want to store the JPEG file to a hard drive is for efficiency purposes. I'm currently experimenting with the idea and I'm wondering if it is possible to pull off? I heard something about Snort being able to quarantine packets, but I'm not sure if I would be able to access those packets if they are quarantined. Thanks in advance Knut ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122912_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122912
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort and buffering of packets Knut Borg (Jan 19)
- Re: Snort and buffering of packets Joel Esler (Jan 19)
- Re: Snort and buffering of packets Knut Borg (Jan 24)
- Re: Snort and buffering of packets Joel Esler (Jan 24)
- Re: Snort and buffering of packets Knut Borg (Jan 24)
- Re: Snort and buffering of packets Joel Esler (Jan 19)