Snort mailing list archives
Re: byte_jump + Stream5, should it work?
From: Joel Esler <jesler () sourcefire com>
Date: Sat, 24 Dec 2011 11:26:57 -0500
You can try only_stream in your flow statement, however, doing what you are trying to do depends on several things. It would help if you were posting a rule along with a pcap. -- Joel Esler On Dec 23, 2011, at 3:43 PM, Shaiming Hsiung <shaiming.hsiung () gmail com> wrote:
Hello, I am attempting to use Snort (version: 2.9.1.2 IPv6 GRE (Build 84)) to filter application-level packages in binary length-encoded format. The Stream5 and HttpInspect preprocessors are enabled. As far as I understand, when Stream5 is enabled, Snort is able to detect packages matching "content:" rules, even if the target string is fragmented across multiple TCP packages. Experience seems to confirm that. However, when I use "byte_jump:" rules, Snort seems not to be able to jump past the TCP package boundary, even though Stream5 is enabled. I haven't found any documentation in the Snort User's Manual regarding the relationship between the "byte_*" rules and Stream5. Is that the expected way it should work? Is there any way of making "byte_jump:" behave as if the contents were a stream? Thank you in advance for your help. Regards, -- Shaiming Hsiung ------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- byte_jump + Stream5, should it work? Shaiming Hsiung (Dec 24)
- Re: byte_jump + Stream5, should it work? rmkml (Dec 24)
- Re: byte_jump + Stream5, should it work? Joel Esler (Dec 24)
- Re: byte_jump + Stream5, should it work? Shaiming Hsiung (Dec 27)
- Re: byte_jump + Stream5, should it work? rmkml (Dec 27)
- Re: [Snort-users] byte_jump + Stream5, should it work? rmkml (Dec 27)
- Re: byte_jump + Stream5, should it work? Shaiming Hsiung (Dec 27)