Content across multiple packets Not detected by Snort

[Dennis George <easyeinfo () yahoo com>]

Hi all,
 
Intro :
I am working with snort from the last 3 weeks. I am using Snort 2.1.0 for content monitoring.
 
Problem :
My problem is that if the content I am monitoring is splitted across two packets then Snort is not detecting it.
 
Home Work:
In my configuration file I have enabled stream4 and stream4_reassemble.
 
my snort.conf file
preprocessor stream4: detect_scans, disable_evasion_alerts, log_flushed_streams
 
preprocessor stream4_reassemble
preprocessor stream4_reassemble : clientonly, ports 25 80 3131
 
my rule file
alert tcp any any -> any any (content: "Hello World"; msg: "Got the message"; nocase;)
 
But still it is not detecting my content "Hello World" if it is splitted in two packets.
 
Earlier I thought Stream4 is not working so I debugged it.... But stream4 is working fine... It is enabled and it is 
forming the Session tree (splay tree). But in the Detection engine only packets are sent not the Session tree or the 
assembled packet......
 
Request ::
So you people please guide me where am I going wrong. Am I looking in the right place (stream4).
 
Thanks in advance
Dennis George
 

                
---------------------------------
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25¢