Telnet/SMTP stream reassembly

[Stefan Lundin <enable_reload () yahoo com>]

Hi all,

i'd like to construct a kind of "Echelon"-device which sniffs for instance telnet and SMTP-traffic, listening for 
certain keyword/keywords in the session. This works great as far as finding the keyword in a packet, but i'd like to 
log the whole session (to be able to read the whole telnet-session or the whole mail) and not just the individual 
packets containing the keyword.

I thought this was what the stream4 and telnet_decode preprocessors would get me, but it doesn't seem to work all that 
well.

For debugging, i've created a rule that matches all telnet-traffic to a host with a simple rule like:
log tcp any any <> 192.168.23.12 23 ( sid: 1000005; rev: 7; msg: lab; classtype: bad-unknown;)

When telnetting to the host under monitoring, i get most of the keypresses logged as individual packets, some are 
reassembled together and it also looks like that i get alerts of both the individual packets as well as the reassemled 
data. But what i want is just one alert containing all the data sent to and from the server in that session...

Because it seems as if snort is able to reassemle some of the packets, it looks like some kind of wrong-tuning, but i 
have tried to tweak all the parameters for the stream4 processor (and yes, i have changed the port to process only on 
port 23 and 35) but it doesn't seem to matter that much...

Thanks for any ideas on the subject!

//Stefan



---------------------------------
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day