Snort mailing list archives
RE: Fragments and stuff
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Tue, 30 Apr 2002 18:26:56 -0400
"what protection does snort have for detecting a signature that has been split over 2 packets....." I believe the frag2 preprocessor should reassemble the fragments, then analyze the resulting packet against the ruleset. Though if not all fragments are received, then the packet can't be reassembled. Not sure how Snort handles this? "What do people consider fragmentation?..............." When the MF bit is set, the packet is considered fragged..... -----Original Message----- From: Ian Macdonald [mailto:secsnort () dirk demon co uk] Sent: Tuesday, April 30, 2002 2:21 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Fragments and stuff I started looking at this problem the other day. I want to be able to detect an event. From looking at sniffs of the traffic, 90% of the time the 2 content strings I am interested in appear in the payload of one packet. However I have seen cases where one content string is in one packet then the other is in the next packet. This raised some general questions. Since snort is signature based, what protection does snort have for detecting a signature that has been split over 2 packets. What do people consider fragmentation? Is it just when a router has split up the data or does it include multiple packets that come from say a web server sending a large html page that would be split up into multiple pakects. I am running in my test environment with the following preprossors preprocessor frag2 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 80 -unicode -cginull preprocessor rpc_decode: 111 32771 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 3 portscan.log and running with the snort options -o from looking at the documentation it seems that stream4_reassemble should do the trick but I am unsure what clientonly and serveronly means. I am also unsure what the impact of changing from the default of reassemble client to reassemble server is. When I tried adding the options clientonly and severonly the snort start up info said they were both disabled. Thanks in advance Ian _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth@sourceforge.net_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Fragments and stuff Ian Macdonald (Apr 30)
- <Possible follow-ups>
- RE: Fragments and stuff Sheahan, Paul (PCLN-NW) (Apr 30)
- RE: Fragments and stuff Ian Macdonald (Apr 30)