Snort mailing list archives

RE: Fragments and stuff

From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Tue, 30 Apr 2002 18:26:56 -0400

"what protection does snort have for detecting a signature that  has been
split over 2 packets....."
I believe the frag2 preprocessor should reassemble the fragments, then
analyze the resulting packet against the ruleset. Though if not all
fragments are received, then the packet can't be reassembled. Not sure how
Snort handles this?

"What do people consider fragmentation?..............."
When the MF bit is set, the packet is considered fragged.....


-----Original Message-----
From: Ian Macdonald [mailto:secsnort () dirk demon co uk]
Sent: Tuesday, April 30, 2002 2:21 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Fragments and stuff


I started looking at this problem the other day. I want to be able to detect
an event. From looking at sniffs of the traffic, 90% of the time the 2
content strings I am interested in appear in the payload of one packet.
However I have seen cases where one content string is in one packet then the
other is in the next packet.

This raised some general questions. Since snort is signature based, what
protection does snort have for detecting a signature that  has been split
over 2 packets.

What do people consider fragmentation? Is it just when a router has split up
the data or does it include multiple packets that come from say a web server
sending a large html page that would be split up into multiple pakects.

I am running in my test environment with the following preprossors

preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log

and running with the snort options -o

from looking at the documentation it seems that stream4_reassemble should do
the trick but I am unsure what clientonly and serveronly means. I am also
unsure what the impact of changing from the default of  reassemble client to
reassemble server is. When I tried adding the options clientonly and
severonly the snort start up info said they were both disabled.

Thanks in advance

Ian




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: 
bandwidth@sourceforge.net_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Fragments and stuff Ian Macdonald (Apr 30)
- <Possible follow-ups>
- RE: Fragments and stuff Sheahan, Paul (PCLN-NW) (Apr 30)
  - RE: Fragments and stuff Ian Macdonald (Apr 30)