Snort mailing list archives
Re: byte_jump + Stream5, should it work?
From: rmkml <rmkml () yahoo fr>
Date: Sat, 24 Dec 2011 16:39:14 +0100 (CET)
Hi Shaiming, Can you share a pcap example please? Can you test with last snort v2.9.2 please? Can you try with default snort.conf with minimal change? Can you post your snort.conf + pcap + snort cmd line + snort verbose output ? Can you post a rule + pcap describe exactly your pb please? Happy Detect with Snort / Suricata / Bro. Merry Christmas everyone. Rmkml On Fri, 23 Dec 2011, Shaiming Hsiung wrote:
Hello, I am attempting to use Snort (version: 2.9.1.2 IPv6 GRE (Build 84)) to filter application-level packages in binary length-encoded format. The Stream5 and HttpInspect preprocessors are enabled. As far as I understand, when Stream5 is enabled, Snort is able to detect packages matching "content:" rules, even if the target string is fragmented across multiple TCP packages. Experience seems to confirm that. However, when I use "byte_jump:" rules, Snort seems not to be able to jump past the TCP package boundary, even though Stream5 is enabled. I haven't found any documentation in the Snort User's Manual regarding the relationship between the "byte_*" rules and Stream5. Is that the expected way it should work? Is there any way of making "byte_jump:" behave as if the contents were a stream? Thank you in advance for your help. Regards, -- Shaiming Hsiung
------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- byte_jump + Stream5, should it work? Shaiming Hsiung (Dec 24)
- Re: byte_jump + Stream5, should it work? rmkml (Dec 24)
- Re: byte_jump + Stream5, should it work? Joel Esler (Dec 24)
- Re: byte_jump + Stream5, should it work? Shaiming Hsiung (Dec 27)
- Re: byte_jump + Stream5, should it work? rmkml (Dec 27)
- Re: [Snort-users] byte_jump + Stream5, should it work? rmkml (Dec 27)
- Re: byte_jump + Stream5, should it work? Shaiming Hsiung (Dec 27)