Snort mailing list archives
RE: Fragments and stuff
From: Ian Macdonald <secsnort () dirk demon co uk>
Date: Tue, 30 Apr 2002 21:28:44 -0500 (EST)
On Tue, 30 Apr 2002, Sheahan, Paul (PCLN-NW) wrote:
"what protection does snort have for detecting a signature that has been split over 2 packets....." I believe the frag2 preprocessor should reassemble the fragments, then analyze the resulting packet against the ruleset. Though if not all fragments are received, then the packet can't be reassembled. Not sure how Snort handles this?
So how are these logged? Does snort log each packet as it comes in or does it log multiple enteries, one for each packet? Thanks Ian
-----Original Message----- From: Ian Macdonald [mailto:secsnort () dirk demon co uk] Sent: Tuesday, April 30, 2002 2:21 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Fragments and stuff I started looking at this problem the other day. I want to be able to detect an event. From looking at sniffs of the traffic, 90% of the time the 2 content strings I am interested in appear in the payload of one packet. However I have seen cases where one content string is in one packet then the other is in the next packet. This raised some general questions. Since snort is signature based, what protection does snort have for detecting a signature that has been split over 2 packets. What do people consider fragmentation? Is it just when a router has split up the data or does it include multiple packets that come from say a web server sending a large html page that would be split up into multiple pakects. I am running in my test environment with the following preprossors preprocessor frag2 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 80 -unicode -cginull preprocessor rpc_decode: 111 32771 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 3 portscan.log and running with the snort options -o from looking at the documentation it seems that stream4_reassemble should do the trick but I am unsure what clientonly and serveronly means. I am also unsure what the impact of changing from the default of reassemble client to reassemble server is. When I tried adding the options clientonly and severonly the snort start up info said they were both disabled. Thanks in advance Ian _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Fragments and stuff Ian Macdonald (Apr 30)
- <Possible follow-ups>
- RE: Fragments and stuff Sheahan, Paul (PCLN-NW) (Apr 30)
- RE: Fragments and stuff Ian Macdonald (Apr 30)