stream4: logging characteristics

[Brian A Kee <bkee () lurhq com>]

Regarding the stream4 preprocessor:

First:
My understanding is that the stream4 preprocessor configured with the 
log_flushed_streams option should, on a positive signature detect, log the 
entire stream or "uber" packet when logging to tcpdump output.

preprocessor stream4: log_flushed_streams


Combining this with the strem4_reasemble options of client_only, server_only, 
or both should result in entire stream packet dump of the client side, server 
side, or both sides of the tcp stream, respectively.

preprocessor stream4_reassemble: both


Is this a correct interpretation of these options?


Second:
The stream4 preprocessor is supposed to combine all of the packets from a tcp 
stream into a single session "uber" packet. This being the case would it not 
be possible to write a rule such as"

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
        (msg:"POSITIVE -- WEB-IIS cmd.exe access"; \
        flow:established,only_stream; content:"cmd.exe"; nocase; \
        content: "200 OK"; nocase; )

that would match "cmd.exe" and "200 OK" only in the same session?



-- 
Thank You, 

Brian A. Kee




-------------------------------------------------------
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users