Sorry I am not familiar as I am not really a programmer. I would recommend however using latest snort builds for this rather than 2.8.6 because it means you can get more familiar with current detection capabilities as well as possible fixes & improvements in the code. <br>
<br>Snort certainly does need libdnet, libnet etc before you can compile but I don't know any specifics. I have also copied in the oisf-devel so perhaps someone there may be kind enough to help or perhaps point you in the right direction of where to look using suricata (<a href="http://www.openinfosecfoundation.org/index.php/downloads">http://www.openinfosecfoundation.org/index.php/downloads</a>) instead on their stream reassembly if snort community/VRT doesn't get back to you. <br>
<br><br><div class="gmail_quote">2011/11/1 <a href="mailto:anjing83830@163.com">anjing83830@163.com</a> <span dir="ltr"><<a href="mailto:anjing83830@163.com">anjing83830@163.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
hello:<br>
Thank you for your reply!<br>
I read the user manual and configure the snort.conf,it running.And<br>
recently i am studying snort-2.8.6 source code,but i can not find out<br>
the tcp stream reassembly function,just find the stream5 preprocessor<br>
function is "stream5process".So i don't know how to realize tcp stream<br>
reasembly moudle,in the internet someone mentioned that snort tcp<br>
stream reassembly is based on Libnids,use libnids api to reassemble<br>
tcp stream,isn't it?<br>
If you familiar with snort source code,i look forward to your<br>
help.<br>
Thank you !<br>
<div class="im"><br>
On 11月1日, 下午4时53分, Kevin Ross <<a href="mailto:kevros...@googlemail.com">kevros...@googlemail.com</a>> wrote:<br>
> Yes it does using the stream5 preprocessor. Read the snort manual on<br>
> configuring the stream5 preprocessor for more info and look at the example<br>
> configuration in the snort.conf distributed with snort source. You may also<br>
> want to look at a tool called hogger (google snort hogger or hogger host<br>
> attribute file). That tool can take nmap scans of your network and generate<br>
> host attribute files which are like maps of the network and is used for<br>
> both applying rules I believe to traffic flows as well as stream and<br>
> fragment reassembly (makes it more accurate for things like if it is a BSD<br>
> based OS, Linux, Windows etc it will make sure it resembles correctly for<br>
> the OS. If think this helps accuracy, limits false positives and perhaps<br>
> also performance though not sure on that one though it certainly doesn't<br>
> make it any worse.<br>
><br>
</div><div class="im">> On 1 November 2011 03:09, <a href="mailto:anjing83...@163.com">anjing83...@163.com</a> <<a href="mailto:anjing83...@163.com">anjing83...@163.com</a>> wrote:<br>
><br>
><br>
><br>
> > Does Snort perform TCP stream reassembly?How to do?<br>
> > Thank you!<br>
><br>
> > --<br>
> > To post to this group, send email to <a href="mailto:snortusers@googlegroups.com">snortusers@googlegroups.com</a><br>
><br>
</div>> > Please visithttp://blog.snort.orgfor the latest news about Snort!- 隐藏被引用文字 -<br>
><br>
> - 显示引用的文字 -<br>
</blockquote></div><br>