Snort mailing list archives
Re: Snort and buffering of packets
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 24 Jan 2013 09:05:25 -0500
If you wanted to just store the JPEG file, I'd probably advise something like the 'tag' keyword (you can find it in the manual as well). Trigger on the JPEG's file magic as it's downloaded and tag the rest of the session. Then you can reconstruct the jpeg from the packet capture. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Jan 24, 2013, at 7:40 AM, Knut Borg <knutborg () gmail com> wrote:
Thanks for your reply. My initial thought was to create a rule which detected a JPEG header and reported a detection to a Unix socket (http://manual.snort.org/node7.html) by using "-A unsock". I would then write a program that listened to Snort. When Snort sent an alert for detecting the JPEG header, my program would find the JPEG file/TCP session Snort stored/delayed in RAM. As far as I understand flowbits, flowbits can be used in conjuction with the Stream5 preprocessor (http://manual.snort.org/node66.html#stream5_section). I'm wondering if this solution will only store a copy of the JPEG file and not delay the original TCP session? Thanks in advance Knut On Sat, Jan 19, 2013 at 5:44 PM, Joel Esler <jesler () sourcefire com> wrote: Dear Knut, Thanks for your email. I believe you will find what you are looking for here: http://manual.snort.org/node470.html Use a flowbit to set a flowbit on the JPEG header, then check that flowbit in a separate rule. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Jan 18, 2013, at 7:58 AM, Knut Borg <knutborg () gmail com> wrote:Hey, I have a question about buffering of packets. What I want to do is that I want Snort to check for JPEG files in the network stream, which is easy because I ask Snort to look for the JPEG header. Then after Snort have detected a JPEG-file, I want Snort to store the JPEG file in a buffer (i.e. not write it to disk, only store it in RAM). Then I'm going to check the JPEG-file for bit patterns while Snort still have the file stored in memory. If I can't find my own watermarks Snort will send the packet as normal, if not I want Snort to drop the packet. The reason why I don't want to store the JPEG file to a hard drive is for efficiency purposes. I'm currently experimenting with the idea and I'm wondering if it is possible to pull off? I heard something about Snort being able to quarantine packets, but I'm not sure if I would be able to access those packets if they are quarantined. Thanks in advance Knut ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122912_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort and buffering of packets Knut Borg (Jan 19)
- Re: Snort and buffering of packets Joel Esler (Jan 19)
- Re: Snort and buffering of packets Knut Borg (Jan 24)
- Re: Snort and buffering of packets Joel Esler (Jan 24)
- Re: Snort and buffering of packets Knut Borg (Jan 24)
- Re: Snort and buffering of packets Joel Esler (Jan 19)