Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Development » stream4 : reassembly

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

stream4 : reassembly


Posted by niteshg on July 18, 2005 07:48:55

Hello Roesch,
The question is about stream reaassembly.I understand that the packets are sent to the detection engine twice i.e (1)individual packets are sent and (2) also they are reassembled per session basis and then the whole chunk of the reassembled segments is sent . My doubt is that the book says that the number of packets reassembled is random so that the attacker cannot hide the pattern in the 2 chunks of packets being reassembled . But still isnt it possible for the detection engine to miss the malicious pattern if the pattern is hidden in 2 separate chunks of reassembled bytes. i.e. if I reassemble a session and if a part of pattern is hidden in the last part of the ressembled chunk and then I start my reassembly again by flushing out the old session bytes and then after random amount of data byes reassembled I send the next chunk to the detection engine.
Now the other half of the pattern is in the first half of the ressembled data.
How does snort account for such a case?
Thanks,
Nitesh

Posted by Joel_Esler on August 26, 2005 15:41:49

Packets are sent to reassembly before they are sent to the preprocessors or the rule engine. Does that
answer your question better? We'd like to help...


Joel Esler
SOURCEfire

Posted by snortrulesalways on January 24, 2007 16:30:04

Hello Joel, I have the same questions as the original, and either I don't understand your reply or it is not answered by your reply.
1. Are the packets being sent to the detection engine twice? Once when a complete packet is encountered, and second time when the larger pseudo packet is completed as a collection of multiple original packets? Could this result in duplicate alerts? 2. Even with a random flushing point, some session could sneak through by having its malicious content spread out over two consecutive pseudo packets, right?

Thanks
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.