Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort session reassembly problem

From: "gupta_sonali" <gupta_sonali () indiatimes com>
Date: Fri, 07 Mar 2003 18:46:19 +0530
Hello

I am using snort to do multiple keyword search on a tcpdump file. The output I 

need is all the sessions containing those keywords. The complete session should be 

stored in case the keyword is found.
I specified session: binary in the conf file, and also tried enabling the stream4 

preprocessor. 
However, I am facing two problems.
1)Sequencing of packets : Though snort is placing all packets with the same 

port-IP pair in one session file, the packets are not correctly sequenced. They 

are present in the order in which they arrived, which is not the correct sequence 

of packets based on the TCP sequrence nos. 
I tried using "Follow TCP Stream" in Ethereal and tcpflow. Both arranged the 

packets in correct sequence. Is there any way to make Snort arrange the packets in 

proper sequence? 
I tried to replay the tcpdump using tcpreplay and have snort sniff that instead of 

reading the tcpdump, but that too did not resolve the issue. 

2)Saving the entire session to a file if the keyword is found : Snort is placing 

just part of the actual data of that session in the session file if the keyword is 

found. It does not record the entire session. Is there any way to make snort save 

the whole session to a file if the keyword is found? Again, sniffing off the 

network directly or from tcpreplay (instead of reading tcpdump) did not resolve 

the issue.




Get Your Private, Free E-mail from Indiatimes at http://email.indiatimes.com

 Buy the best in Movies at http://www.videos.indiatimes.com

Bid for for Air Tickets @ Re.1 on Air Sahara Flights. Just log on to http://airsahara.indiatimes.com and Bid Now !



-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: