Re: Snort and buffering of packets

[Knut Borg <knutborg () gmail com>]

Thanks for your reply.

My initial thought was to create a rule which detected a JPEG header and
reported a detection to a Unix socket (http://manual.snort.org/node7.html)
by using  "-A unsock". I would then write a program that listened to Snort.
When Snort sent an alert for detecting the JPEG header, my program would
find the JPEG file/TCP session Snort stored/delayed in RAM.

As far as I understand flowbits, flowbits can be used in conjuction with
the Stream5 preprocessor (
http://manual.snort.org/node66.html#stream5_section). I'm wondering if this
solution will only store a copy of the JPEG file and not delay the original
TCP session?


Thanks in advance
Knut



On Sat, Jan 19, 2013 at 5:44 PM, Joel Esler <jesler () sourcefire com> wrote:

> Dear Knut,
>
> Thanks for your email.  I believe you will find what you are looking for
> here: http://manual.snort.org/node470.html
>
> Use a flowbit to set a flowbit on the JPEG header, then check that flowbit
> in a separate rule.
>
> --
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
> On Jan 18, 2013, at 7:58 AM, Knut Borg <knutborg () gmail com> wrote:
>
> Hey, I have a question about buffering of packets.
>
> What I want to do is that I want Snort to check for JPEG files in the
> network stream, which is easy because I ask Snort to look for the JPEG
> header. Then after Snort have detected a JPEG-file, I want Snort to store
> the JPEG file in a buffer (i.e. not write it to disk, only store it in
> RAM). Then I'm going to check the JPEG-file for bit patterns while Snort
> still have the file stored in memory. If I can't find my own watermarks
> Snort will send the packet as normal, if not I want Snort to drop the
> packet. The reason why I don't want to store the JPEG file to a hard drive
> is for efficiency purposes.
>
> I'm currently experimenting with the idea and I'm wondering if it is
> possible to pull off? I heard something about Snort being able to
> quarantine packets, but I'm not sure if I would be able to access those
> packets if they are quarantined.
>
>
>
> Thanks in advance
> Knut
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. SALE $99.99 this month only -- learn more at:
>
> http://p.sf.net/sfu/learnmore_122912_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!