[Snort-users] stream4: logging characteristics

Regarding the stream4 preprocessor:

First:
My understanding is that the stream4 preprocessor configured with the
log_flushed_streams option should, on a positive signature detect, log the
entire stream or "uber" packet when logging to tcpdump output.

preprocessor stream4: log_flushed_streams


Combining this with the strem4_reasemble options of client_only, server_only,
or both should result in entire stream packet dump of the client side, server
side, or both sides of the tcp stream, respectively.

preprocessor stream4_reassemble: both


Is this a correct interpretation of these options?


Second:
The stream4 preprocessor is supposed to combine all of the packets from a tcp
stream into a single session "uber" packet. This being the case would it not
be possible to write a rule such as"

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
(msg:"POSITIVE -- WEB-IIS cmd.exe access"; \
flow:established,only_stream; content:"cmd.exe"; nocase; \
content: "200 OK"; nocase; )

that would match "cmd.exe" and "200 OK" only in the same session?



--
Thank You,

Brian A. Kee




-------------------------------------------------------
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/...=mm/g22lp.tmpl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users