Re: Snort and buffering of packets

[Joel Esler <jesler () sourcefire com>]

If you wanted to just store the JPEG file, I'd probably advise something like the 'tag' keyword (you can find it in the 
manual as well).  Trigger on the JPEG's file magic as it's downloaded and tag the rest of the session.  

Then you can reconstruct the jpeg from the packet capture.


--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Jan 24, 2013, at 7:40 AM, Knut Borg <knutborg () gmail com> wrote:

> Thanks for your reply.
>
> My initial thought was to create a rule which detected a JPEG header and reported a detection to a Unix socket 
> (http://manual.snort.org/node7.html) by using  "-A unsock". I would then write a program that listened to Snort. When 
> Snort sent an alert for detecting the JPEG header, my program would find the JPEG file/TCP session Snort 
> stored/delayed in RAM. 
>
> As far as I understand flowbits, flowbits can be used in conjuction with the Stream5 preprocessor 
> (http://manual.snort.org/node66.html#stream5_section). I'm wondering if this solution will only store a copy of the 
> JPEG file and not delay the original TCP session? 
>
>
> Thanks in advance 
> Knut
>
>
>
> On Sat, Jan 19, 2013 at 5:44 PM, Joel Esler <jesler () sourcefire com> wrote:
> Dear Knut,
>
> Thanks for your email.  I believe you will find what you are looking for here: http://manual.snort.org/node470.html
>
> Use a flowbit to set a flowbit on the JPEG header, then check that flowbit in a separate rule.
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
> On Jan 18, 2013, at 7:58 AM, Knut Borg <knutborg () gmail com> wrote:
>
> > Hey, I have a question about buffering of packets.
> >
> > What I want to do is that I want Snort to check for JPEG files in the network stream, which is easy because I ask 
> > Snort to look for the JPEG header. Then after Snort have detected a JPEG-file, I want Snort to store the JPEG file 
> > in a buffer (i.e. not write it to disk, only store it in RAM). Then I'm going to check the JPEG-file for bit 
> > patterns while Snort still have the file stored in memory. If I can't find my own watermarks Snort will send the 
> > packet as normal, if not I want Snort to drop the packet. The reason why I don't want to store the JPEG file to a 
> > hard drive is for efficiency purposes. 
> >
> > I'm currently experimenting with the idea and I'm wondering if it is possible to pull off? I heard something about 
> > Snort being able to quarantine packets, but I'm not sure if I would be able to access those packets if they are 
> > quarantined.
> >
> >
> >
> > Thanks in advance
> > Knut
> >
> > ------------------------------------------------------------------------------
> > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> > with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> > MVPs and experts. SALE $99.99 this month only -- learn more at:
> > http://p.sf.net/sfu/learnmore_122912_______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!