Snort Stream4

[S3cur|ty4ng31]

Seems like there quite a few who know snort well here and Im hoping I can get an answere here faster than the snort mailing list ....

Stream4:
Ok so supposedly this reassembles a tcp stream. So a single email being sent should all be reassembled?
Basically some rules I developed scan for 2 parts of content in an email one at the begining and one at the end. Since the email will be large generally it will be sent in multiple packets. If I scan for the content seperatly both rules would trigger. But when I combine them into 1 rule with stream4 reassemble on it does not alert. Am I missing something?

[MrLinus]

Perhaps if you posted the single rule, people can look at it and make suggestions?

[hodzic]

yeah.... i had problems with that......

go on www.google.com and search about it and it will tell u what u need....

peace...

[576869746568617]

hodzic: WTF!

yeah.... i had problems with that......

go on www.google.com and search about it and it will tell u what u need....

peace...

We're not noobs...I'm sure S3cur|ty4ng31 knows Google is his friend.

MsMittens: I have a request. Could you see what could be done about having the AntiPoints system auto-assign negs for nonsence posts?

S3cur|ty4ng31:

I had a similar problem trying to use stream4, but I just decided that 2 rules were better than none! In this case, however, it would be better if there were only one. I haven't a clue why it didn't work and didn't bother to find out.

Ask Q.o.D

[S3cur|ty4ng31]

Heres the rule, basically Im just trying to make the perfect Novarg/Mydoom rule that will have no false positives.

alert tcp any any -> any 25 (msg:"Virus - Novarg/Mydoom";content:"VVBY"; content:"JmpvZT9uZW8v"; sid:31337; classtype:misc-activity; rev:2; reference:url,www.cert.org/incident_notes/IN-2004-01.html;)

the VVBY comes with in the first 640 bytes and JmpvZT9uZW8v is later in the email.
And in my snort.conf i have

preprocessor stream4_reassemble

If I had the rules like this

alert tcp any any -> any 25 (msg:"Virus - Novarg/Mydoom"; content:"JmpvZT9uZW8v"; sid:31337; classtype:misc-activity; rev:2; reference:url,www.cert.org/incident_notes/IN-2004-01.html;)

alert tcp any any -> any 25 (msg:"Virus - Novarg/Mydoom";content:"VVBY" ; sid:31338; classtype:misc-activity; rev:2; reference:url,www.cert.org/incident_notes/IN-2004-01.html;)


both would trigger on a single email

Originally posted here by hodzic
yeah.... i had problems with that......

go on www.google.com and search about it and it will tell u what u need....

peace...

Not to flame you, but this is not a very helpful post. Ive been to google and Ive read the snort 2.1.0 manual and to may understanding this is how it works, so if you had the same problem and you found what you need you could just post it, but I suspect you dont.

[MrLinus]

May sound stupid but spacing? Lemme think about this.. I've done a few rules and usually individually...