Snort mailing list archives
Re: Reconstruction of TCP packets
From: Rajesh Joseph <tech_joseph () yahoo com>
Date: Tue, 30 Mar 2004 23:10:21 -0800 (PST)
No you are not getting my point.... suppose you are monintoring some keyword (for some attack type) in the tcp packets. e.g. "sourceforge.net" If this keyword is present in a single packet then you can log that particular packet... But suppose this particular packet is splitted in two packets like Packet 1 :: Data sdfd ... source Packet 2 :: forge.net Data gfhgdfsdgf .... Now the sourceforge.net is splitted in two packets and thus snort is not detecting the keyword. Eventhough I am enabling stream4_reassemble it is not doing so. Rajesh --- Jason Haar <Jason.Haar () trimble co nz> wrote:
On Mon, Mar 29, 2004 at 05:19:22AM -0800, Rajesh Joseph wrote:I know stream4 (stream4_reassemble) is used toreassemble the tcp packets,But in my case it is not doing so..... It onlydumps that packet whichcaused the alert but not the entire assembledpacket. I think Snort cannot do what you want. What you want is to capture an arbitrary amount of traffic and reconstruct it into a single stream - for snort to do that without making itself susceptable to DoS attacks would require infinite memory. Snort uses a "sliding window" thingy to limit the amount of RAM it needs to allocate to any particular data stream. What about just capturing what you want with: tcpdump -n -s0 -w/tmp/raw.tcpdump -i <DEV> <BF FILTER> then you can read that into Ethereal and it'll reconstruct it (assuming it's not a stupid amount of data - same issues as snort...) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
__________________________________ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Reconstruction of TCP packets Rajesh Joseph (Mar 29)
- Re: Reconstruction of TCP packets Dirk Geschke (Mar 29)
- Re: Reconstruction of TCP packets Rajesh Joseph (Mar 29)
- Re: Reconstruction of TCP packets Jason Haar (Mar 29)
- Re: Reconstruction of TCP packets Rajesh Joseph (Mar 30)
- Re: Reconstruction of TCP packets Dirk Geschke (Mar 30)
- Re: Reconstruction of TCP packets Rajesh Joseph (Mar 31)
- Re: Reconstruction of TCP packets Dirk Geschke (Mar 31)
- Re: Reconstruction of TCP packets Rajesh Joseph (Mar 29)
- Re: Reconstruction of TCP packets Dirk Geschke (Mar 29)