-
January 30th, 2004, 01:32 AM
#1
Snort Stream4
Seems like there quite a few who know snort well here and Im hoping I can get an answere here faster than the snort mailing list ....
Stream4:
Ok so supposedly this reassembles a tcp stream. So a single email being sent should all be reassembled?
Basically some rules I developed scan for 2 parts of content in an email one at the begining and one at the end. Since the email will be large generally it will be sent in multiple packets. If I scan for the content seperatly both rules would trigger. But when I combine them into 1 rule with stream4 reassemble on it does not alert. Am I missing something?
That which does not kill me makes me stronger -- Friedrich Nietzche
-
January 30th, 2004, 01:49 AM
#2
Perhaps if you posted the single rule, people can look at it and make suggestions?
-
January 30th, 2004, 01:56 AM
#3
Member
yeah.... i had problems with that......
go on www.google.com and search about it and it will tell u what u need....
peace...
-
January 30th, 2004, 02:14 AM
#4
hodzic: WTF!
yeah.... i had problems with that......
go on www.google.com and search about it and it will tell u what u need....
peace...
We're not noobs...I'm sure S3cur|ty4ng31 knows Google is his friend.
MsMittens: I have a request. Could you see what could be done about having the AntiPoints system auto-assign negs for nonsence posts?
S3cur|ty4ng31:
I had a similar problem trying to use stream4, but I just decided that 2 rules were better than none! In this case, however, it would be better if there were only one. I haven't a clue why it didn't work and didn't bother to find out.
Ask Q.o.D
-
January 30th, 2004, 08:44 PM
#5
Heres the rule, basically Im just trying to make the perfect Novarg/Mydoom rule that will have no false positives.
alert tcp any any -> any 25 (msg:"Virus - Novarg/Mydoom";content:"VVBY"; content:"JmpvZT9uZW8v"; sid:31337; classtype:misc-activity; rev:2; reference:url,www.cert.org/incident_notes/IN-2004-01.html;)
the VVBY comes with in the first 640 bytes and JmpvZT9uZW8v is later in the email.
And in my snort.conf i have
preprocessor stream4_reassemble
If I had the rules like this
alert tcp any any -> any 25 (msg:"Virus - Novarg/Mydoom"; content:"JmpvZT9uZW8v"; sid:31337; classtype:misc-activity; rev:2; reference:url,www.cert.org/incident_notes/IN-2004-01.html;)
alert tcp any any -> any 25 (msg:"Virus - Novarg/Mydoom";content:"VVBY" ; sid:31338; classtype:misc-activity; rev:2; reference:url,www.cert.org/incident_notes/IN-2004-01.html;)
both would trigger on a single email
Originally posted here by hodzic
yeah.... i had problems with that......
go on www.google.com and search about it and it will tell u what u need....
peace...
Not to flame you, but this is not a very helpful post. Ive been to google and Ive read the snort 2.1.0 manual and to may understanding this is how it works, so if you had the same problem and you found what you need you could just post it, but I suspect you dont.
That which does not kill me makes me stronger -- Friedrich Nietzche
-
January 30th, 2004, 08:49 PM
#6
May sound stupid but spacing? Lemme think about this.. I've done a few rules and usually individually...
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|