Snort mailing list archives
Re: [Snort-users] byte_jump + Stream5, should it work?
From: rmkml <rmkml () yahoo fr>
Date: Tue, 27 Dec 2011 20:16:33 +0100 (CET)
Hi Shaiming, It's work with your two case on default snort.conf (tested on snort v2.9.2), simply adding "-k none" on snort cmd line... (or in snort.conf) Can you check please? Happy Holidays. Regards Rmkml On Tue, 27 Dec 2011, Shaiming Hsiung wrote:
Many thanks for your answers.
Here is my snort.conf file. The aim here is to detect application-level
packets of the form:
start<offset>XX...XXXtest
where <offset> are four bytes encoding the number of Xs
we should skip to find the string "test". (The representation
is big endian).
-------- snort.conf
preprocessor stream5_global: track_tcp yes track_udp yes
preprocessor stream5_tcp: timeout 86400, protocol all, ports all
preprocessor stream5_udp: timeout 86400
config paf_max: 16000
alert tcp any any -> any any (sid:1000000; msg:"test package detected";\
content:"start";\
byte_jump:4,0,relative;\
content:"test";within:4;)
--------
The following Python file generates valid traffic given
the number of Xs to insert:
-------- snorttest.py
import sys
import struct
no = int(sys.argv[1])
sys.stdout.write('start' + struct.pack('>I',no) + no*'X' + 'test')
--------
The problem is that Snort is not detecting packages when
the number of Xs is big (e.g. 10000). In that case the
application-level data is segmented in multiple TCP packets.
For instance, in this case, Snort detects the package:
$ python snorttest.py 10 | nc target 1234
While in this case it doesn't:
$ python snorttest.py 10000 | nc target 1234
I attach the files snorttest10.pcap and snorttest10000.pcap
corresponding to each of these cases.
Thanks in advance for your help,
--
Shaiming Hsiung
------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- byte_jump + Stream5, should it work? Shaiming Hsiung (Dec 24)
- Re: byte_jump + Stream5, should it work? rmkml (Dec 24)
- Re: byte_jump + Stream5, should it work? Joel Esler (Dec 24)
- Re: byte_jump + Stream5, should it work? Shaiming Hsiung (Dec 27)
- Re: byte_jump + Stream5, should it work? rmkml (Dec 27)
- Re: [Snort-users] byte_jump + Stream5, should it work? rmkml (Dec 27)
- Re: byte_jump + Stream5, should it work? Shaiming Hsiung (Dec 27)