Snort mailing list archives

Re: Is there a snort/libnids alternative

From: elof () sentor se
Date: Mon, 15 Oct 2012 11:43:45 +0200 (CEST)


I'm looking for exactly the same thing as libnids.

The main thing missing in libnids is continued reassembly of tcp-flows 
even though there are SPAN packet drops.

Example:
A TCP stream flows between client and server just fine (e.g. a 
long http/1.1 keep-alive session).
Some random packets are dropped in the mirrored copies.
When libnids sniff this and reassemble the stream, I want it to leave a 
gap in the buffer where there are missing packets, and continue processing 
the flow. Currently it stops processing the flow.

So I'm looking for an alternative to libnids that hopefully works better 
(and that might have bells and whistles like drop detection, vlan-tag 
purging, ipv6 support, etc)

/Elof


On Sun, 14 Oct 2012, Sam Roberts wrote:

On Thu, Oct 11, 2012 at 5:44 AM,  <elof () sentor se> wrote:

Are there any other free software projects that deal with passive stream
reassembly just like snort and libnids?


Lots. What do you want to do? Have you looked at wireshark?

------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Is there a snort/libnids alternative elof (Oct 11)
- Re: Is there a snort/libnids alternative Sam Roberts (Oct 14)
  - Re: Is there a snort/libnids alternative elof (Oct 15)
    - Re: Is there a snort/libnids alternative Chris Green (Oct 15)
    - Re: Is there a snort/libnids alternative Seth Hall (Nov 01)