#14 All Packets with a session

2.0x
closed
nobody
Reporting (12)
6
2005-07-30
2005-02-03
No

If you've got a wishlist somewhere, I've got another
item. :) With the
stream code in snort these days there may be more than
one recorded
packet for a signature, and the packet with the
signature id associated
might not be the one that triggered the alert. It would
be cool if there
were a button on the packet inspection page called
"show me all packets
associated with this session" or somesuch, which would
pull up the tag
packets that have the same ip's & ports as the original
packet.

Mike Stone

Discussion

  • Joel Esler

    Joel Esler - 2005-02-03

    Logged In: YES
    user_id=853584

    We can build that into present functionality I think. I
    don't know if we have to wait until 2.0 to build that.

     
  • Joel Esler

    Joel Esler - 2005-02-03
    • milestone: 467929 --> 467936
     
  • Nobody/Anonymous

    Logged In: NO

    We did have a workaround for this when we used snort's xml
    output. We fed that into a perl script that reassembled the
    payload by appending tagged packet payload onto the payload
    of the firing event. But, we switched to barnyard and it's
    acid db output plugin that goes direct to the db and hosed
    the whole deal. We are looking for a solution to return
    this capability. One other thing that we had was, we added
    a resonse payload field and as the tagged packets were
    processed, checked for direction and added the payload in
    the right place/field. Then, we modified acid_query_alert
    to show response right under payload. It helped immensly
    with false positive verification.

     
  • Joel Esler

    Joel Esler - 2005-04-01
    • priority: 4 --> 6
     
  • Joel Esler

    Joel Esler - 2005-04-01

    Logged In: YES
    user_id=853584

    and then print it out into one plain text display, so it
    looks like Ethereal's "Follow TCP stream"

     
  • Kevin Johnson

    Kevin Johnson - 2005-07-30
    • milestone: 467936 --> 2.0x
    • status: open --> closed
     
  • Kevin Johnson

    Kevin Johnson - 2005-07-30

    Logged In: YES
    user_id=836228

    Part of the TODO for 2.x