Hosting Provided By

[Snort-devel] New feature in snort - mark modified packets

From: Martin Olsson <elof(at)sentor.se>
Date: Mon Jun 23 2003 - 11:52:03 EDT

It would be nice to know if the packet payload one is looking at in ACID (or tcpdump) is an original packet, an uber-packet or if it is modified in any way.

Could snort include a label indicating the origin of the logged packet?

Like this:

O = Original packet, not modified
U = This is an uber-packet assembled from stream4
M = Modified packet (some preprocessor have modified the packet and the

original no longer exist)
A = This is an alternate packet (some preprocessor have modified the

packet, but the original still exist in memory (when this was logged)) N = Payload does not exist. The alert is built on statistics, counters,

timers...

...or maybe this is better:

Do you need help?

A field containing a list of all the functions that have modified the packet in some way. Maybe several preprocessors (and some output plugin) have modified the packet between the capture and the log, then just one position for the label is not enough.

When the packet is captured from the interface the list contain only:
"Original".

As it passes through the preprocessors they add a label if they have modified it.
"Original --> modified(rpc_decode)"

or
"Original --> alternate(telnet_decode) --> uber-packet(stream4)"

The above would be the parsed text. The logged data would be much smaller since O, U, M, A and N as well as the preprocessors have numeric representations (see the file generators).

I hope this could be included in snort. I think it would add to the understanding of the alert when analyzed by an operator.

Anyone else think this is a good idea?

Martin Olsson
Sentor AB, Sweden

This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Mon Jun 23 12:12:52 2003

This message: [ Message body ]
Next message: Marc Norton: "RE: [Snort-devel] Multirule inspection engine"
Previous message: Eloy A. Paris: "Re: [Snort-devel] RE: Getting bus errors on the Sparc - SPARC_TWIDDLE?"
Next in thread: Chris Green: "Re: [Snort-devel] New feature in snort - mark modified packets"
Reply: Chris Green: "Re: [Snort-devel] New feature in snort - mark modified packets"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:06 EDT