This is a prototype plugin to allow a stort user to write rules based on the packet/byte offset of a given stream. This might be useful if you are interested in looking at the pre-encryption negotiation of a tcp session, or if you know that somthing interesting is going on 10,000 bytes into a connection
There are seven commands in the streams type. A example of one of these commands looks like:
alert tcp any any -> any 22 (stream: strm_pkt_eq,20,0; msg:strm_pkt_Req;)
Here, for whatever reason, we are interested in looking at packet 20 in a stream going to port 22.
A complete list of commands, their form and some short notes are as follows:
| STRM_PKT_EQ,#,0 | packet in stream = #, plugin will ignore the "0" |
| STRM_PKT_LT,#,0 | packet in stream < # |
| STRM_PKT_GT,0,# | packet in stream > # |
| STRM_PKT_LG,#1,#2 | packet in stream < #1 && > #2 |
| STRM_BYTE_LT,#,0 | byte count in stream < # |
| STRM_BYTE_GT,0,# | byte count in stream > # |
| STRM_BYTE_LG,#1,#2 | byte count in stream < #1 && > #2 |
The rule matching was incomplete untill snort version 1.9.0beta (Build 179) . If you use a previous build, you will find that logging is incorrect.
The plugin program may be found here:
and may be compiled in and referenced like any other plugin. For an idea of how to do this, look at the other software for snort version 1.9.x .