Re: New feature wanted in snort: packet print

[Chris Green <cmg () snort org>]

Martin Olsson <elof () sentor se> writes:

> I sent this mail to the snort-users list since I think more people than me
> are interested in your answers/thoughts.
>
>
> Glenn Mansfield Keeni, the author of snort's SNMP-plugin, have come up
> with a nice idea (at least I think it was his idea):
>
> If you have an offending packet passing through several sensors, it would
> be nice if the NMS could detect and correlate that the alerts origin from
> the same packet, giving me *one* alert with the summary instead of one
> alert per sensor.
>
> In the SNMP-plugin, Glenn has added the support for generating a print of
> the invariant part of the offending packet. This print, a MD5 or
> SHA1 digest of the packet, is sent as part of the alert. This digest can
> be used to verify whether the packet was seen in other parts of the
> network. For privacy/security reasons we do not send the packet itself.
>
> My question is:
> Couldn't this be built straight into the snort core, so you can get the
> benefits of the packet print regardless of what output plugin you use?

What do you take a digest of? The entire Ethernet frame? The entire IP
datagram? The transport datagram? 

What do you do in the reassembled stream alert case? IP fragment?  The
encapsulated protocol case?
-- 
Chris Green <cmg () sourcefire com>
"Yeah, but you're taking the universe out of context."


-------------------------------------------------------
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users