Snort mailing list archives
Re: Depth limit of binary flow using just pcre (no content option)
From: Frank Calone <fc10011001 () gmail com>
Date: Fri, 19 Jul 2013 14:57:26 -0400
Yes, the sessions I have seen have had no http markup at the beginning. Certainly not gzipped data either, just raw binary. Frank On Fri, Jul 19, 2013 at 2:42 PM, waldo kitty <wkitty42 () windstream net>wrote:
On 7/19/2013 14:20, Frank Calone wrote:I'd like to test just the first 500 bytes of a session for a pcrepattern. I'veseen port 80 session data with just raw tranfers, no http related stuff.It are you sure that those are not just additional packets carry data for an initial http session? they may be carrying binary data like graphics or they ma be part of a gzipped session...appears the "depth" option must have a content check. I really don'thave agood content criteria to test for. My interest is strictly in just apattern.Any ideas on how to limit the testing to just 500 bytes of any givensession? Ihave some content only rules that are not alerting when I added the pcretests.I suspect trying to analyze all sessions and all bytes for a dozendifferentpatterns is a bit much to ask of Snort.-- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Depth limit of binary flow using just pcre (no content option) Frank Calone (Jul 19)
- Re: Depth limit of binary flow using just pcre (no content option) waldo kitty (Jul 19)
- Re: Depth limit of binary flow using just pcre (no content option) Frank Calone (Jul 19)
- Re: Depth limit of binary flow using just pcre (no content option) Joel Esler (Jul 19)
- Re: Depth limit of binary flow using just pcre (no content option) waldo kitty (Jul 19)