stream4 - simple experiment

["CHARLES ASMUTH" <casmuth () sarnoff com>]

I am trying to do a simple experiment using the stream4 preprocessor. I
want to generate an alert when a particular string is typed by the user
of a telnet client. Since keystrokes are transmitted each in its own
packet, I hoped to use stream reassembly to generate a "uber-packet"
described in the documentation which would contain tthe concatenation of
the client keystrokes and would therefore cause the alert to be
triggered.

I am using a very simple rules file named xyz.conf whose entire
contents  follows:


     preprocessor stream4
     preprocessor stream4_reassemble: both, ports all
     alert tcp xx.xx.xx.xx any <> yy.yy.yy.yy any (content: "xyz";
     msg: "XYZ ALERT";)

The client is xx.xx.xx.xx and the server is yy.yy.yy.yy.

The snort command used is

    snort -de -c xyz.conf -l snortlogs

After starting snort, I use telnet from xx.xx.xx.xx to yy.yy.yy.yy .
When my session on
yy.yy.yy.yy is established, I enter the command

    echo xyz

and then exit so  that the telnet session is ended. The string "xyz" is
thus passed from client to server at one character per packet. It is
echoed by the server, again at one character per packet, and then sent
back whole as the echo command is executed. I only get one alert and it
is for the transmission of the entire string in a single packet as a
consequence of the echo command.

[**] [1:0:0] XYZ ALERT [**]
[Priority: 0]
06/19-10:08:13.671287 0:50:4:C0:78:70 -> 0:C0:4F:A1:72:91 type:0x800
len:0x55
yy.yy.yy.yy:23 -> xx.xx.xx.xx:2770 TCP TTL:64 TOS:0x10 ID:24663 IpLen:20
DgmLen:71 DF
***AP*** Seq: 0xF414FA6E  Ack: 0x87DAFFEA  Win: 0x16D0  TcpLen: 20


What do I need to do to get alerts for the client stream transmissions
of the string "xyz"?


I am running snort on a Windows 2000 machine and the version of snort is

    Version 2.0.0-ODBC-MySQL-WIN32 (Build 72)

thanks
casmuth () sarnoff com