[Oisf-devel] TCP stream reassembly

Kevin Ross kevross33 at googlemail.com
Tue Nov 1 15:12:51 UTC 2011


Sorry I am not familiar as I am not really a programmer. I would recommend
however using latest snort builds for this rather than 2.8.6 because it
means you can get more familiar with current detection capabilities as well
as possible fixes & improvements in the code.

Snort certainly does need libdnet, libnet etc before you can compile but I
don't know any specifics. I have also copied in the oisf-devel so perhaps
someone there may be kind enough to help or perhaps point you in the right
direction of where to look using suricata (
http://www.openinfosecfoundation.org/index.php/downloads) instead on their
stream reassembly if snort community/VRT doesn't get back to you.


2011/11/1 anjing83830 at 163.com <anjing83830 at 163.com>

> hello:
>       Thank you for your reply!
>    I read the user manual and configure the snort.conf,it running.And
> recently i am studying snort-2.8.6 source code,but i  can not find out
> the tcp stream reassembly function,just find the stream5 preprocessor
> function is "stream5process".So i don't know how to realize tcp stream
> reasembly moudle,in the internet someone mentioned that snort tcp
> stream reassembly is based on Libnids,use libnids api to reassemble
> tcp stream,isn't it?
>       If you familiar with snort source code,i look forward to your
> help.
>       Thank you !
>
> On 11月1日, 下午4时53分, Kevin Ross <kevros... at googlemail.com> wrote:
> > Yes it does using the stream5 preprocessor. Read the snort manual on
> > configuring the stream5 preprocessor for more info and look at the
> example
> > configuration in the snort.conf distributed with snort source. You may
> also
> > want to look at a tool called hogger (google snort hogger or hogger host
> > attribute file). That tool can take nmap scans of your network and
> generate
> > host attribute files which are like maps of the network and is used for
> > both applying rules I believe to traffic flows as well as stream and
> > fragment reassembly (makes it more accurate for things like if it is a
> BSD
> > based OS, Linux, Windows etc it will make sure it resembles correctly for
> > the OS. If think this helps accuracy, limits false positives and perhaps
> > also performance though not sure on that one though it certainly doesn't
> > make it any worse.
> >
> > On 1 November 2011 03:09, anjing83... at 163.com <anjing83... at 163.com>
> wrote:
> >
> >
> >
> > > Does Snort perform TCP stream reassembly?How to do?
> > > Thank you!
> >
> > > --
> > > To post to this group, send email to snortusers at googlegroups.com
> >
> > > Please visithttp://blog.snort.orgfor the latest news about Snort!-
> 隐藏被引用文字 -
> >
> > - 显示引用的文字 -
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20111101/9340e6a7/attachment-0002.html>


More information about the Oisf-devel mailing list