Snort mailing list archives
Telnet/SMTP stream reassembly
From: Stefan Lundin <enable_reload () yahoo com>
Date: Wed, 19 Feb 2003 06:41:02 -0800 (PST)
Hi all, i'd like to construct a kind of "Echelon"-device which sniffs for instance telnet and SMTP-traffic, listening for certain keyword/keywords in the session. This works great as far as finding the keyword in a packet, but i'd like to log the whole session (to be able to read the whole telnet-session or the whole mail) and not just the individual packets containing the keyword. I thought this was what the stream4 and telnet_decode preprocessors would get me, but it doesn't seem to work all that well. For debugging, i've created a rule that matches all telnet-traffic to a host with a simple rule like: log tcp any any <> 192.168.23.12 23 ( sid: 1000005; rev: 7; msg: lab; classtype: bad-unknown;) When telnetting to the host under monitoring, i get most of the keypresses logged as individual packets, some are reassembled together and it also looks like that i get alerts of both the individual packets as well as the reassemled data. But what i want is just one alert containing all the data sent to and from the server in that session... Because it seems as if snort is able to reassemle some of the packets, it looks like some kind of wrong-tuning, but i have tried to tweak all the parameters for the stream4 processor (and yes, i have changed the port to process only on port 23 and 35) but it doesn't seem to matter that much... Thanks for any ideas on the subject! //Stefan --------------------------------- Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day
Current thread:
- Telnet/SMTP stream reassembly Stefan Lundin (Feb 19)