RE: Fragments and stuff

[Ian Macdonald <secsnort () dirk demon co uk>]

On Tue, 30 Apr 2002, Sheahan, Paul (PCLN-NW) wrote:

> "what protection does snort have for detecting a signature that  has been
> split over 2 packets....."
> I believe the frag2 preprocessor should reassemble the fragments, then
> analyze the resulting packet against the ruleset. Though if not all
> fragments are received, then the packet can't be reassembled. Not sure how
> Snort handles this?

So how are these logged? Does snort log each packet as it comes in or does
it log multiple enteries, one for each packet?


Thanks

Ian

> -----Original Message-----
> From: Ian Macdonald [mailto:secsnort () dirk demon co uk]
> Sent: Tuesday, April 30, 2002 2:21 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Fragments and stuff
>
>
> I started looking at this problem the other day. I want to be able to detect
> an event. From looking at sniffs of the traffic, 90% of the time the 2
> content strings I am interested in appear in the payload of one packet.
> However I have seen cases where one content string is in one packet then the
> other is in the next packet.
>
> This raised some general questions. Since snort is signature based, what
> protection does snort have for detecting a signature that  has been split
> over 2 packets.
>
> What do people consider fragmentation? Is it just when a router has split up
> the data or does it include multiple packets that come from say a web server
> sending a large html page that would be split up into multiple pakects.
>
> I am running in my test environment with the following preprossors
>
> preprocessor frag2
> preprocessor stream4: detect_scans
> preprocessor stream4_reassemble
> preprocessor http_decode: 80 -unicode -cginull
> preprocessor rpc_decode: 111 32771
> preprocessor bo: -nobrute
> preprocessor telnet_decode
> preprocessor portscan: $HOME_NET 4 3 portscan.log
>
> and running with the snort options -o
>
> from looking at the documentation it seems that stream4_reassemble should do
> the trick but I am unsure what clientonly and serveronly means. I am also
> unsure what the impact of changing from the default of  reassemble client to
> reassemble server is. When I tried adding the options clientonly and
> severonly the snort start up info said they were both disabled.
>
> Thanks in advance
>
> Ian
>
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users