|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Snort-users] Content across multiple packets Not detected by Snort
From: Dennis George (easyeinfo
yahoo.com)
Date: Fri Apr 23 2004 - 03:59:26 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi all,
Intro :
I am working with snort from the last 3 weeks. I am using Snort 2.1.0 for content monitoring.
Problem :
My problem is that if the content I am monitoring is splitted across two packets then Snort is not detecting it.
Home Work:
In my configuration file I have enabled stream4 and stream4_reassemble.
my snort.conf file
preprocessor stream4: detect_scans, disable_evasion_alerts, log_flushed_streams
preprocessor stream4_reassemble
preprocessor stream4_reassemble : clientonly, ports 25 80 3131
my rule file
alert tcp any any -> any any (content: "Hello World"; msg: "Got the message"; nocase;)
But still it is not detecting my content "Hello World" if it is splitted in two packets.
Earlier I thought Stream4 is not working so I debugged it.... But stream4 is working fine... It is enabled and it is forming the Session tree (splay tree). But in the Detection engine only packets are sent not the Session tree or the assembled packet......
Request ::
So you people please guide me where am I going wrong. Am I looking in the right place (stream4).
Thanks in advance
Dennis George
---------------------------------
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25¢
-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]