Re: Depth limit of binary flow using just pcre (no content option)

[Joel Esler <jesler () sourcefire com>]

On Jul 19, 2013, at 2:20 PM, Frank Calone <fc10011001 () gmail com> wrote:

> I'd like to test just the first 500 bytes of a session for a pcre pattern.  I've seen port 80 session data with just 
> raw tranfers, no http related stuff.  It appears the "depth" option must have a content check. 

Correct.

> I really don't have a good content criteria to test for.  My interest is strictly in just a pattern.  Any ideas on 
> how to limit the testing to just 500 bytes of any given session? 

My default Snort will examine the 1514 byte packet.  In order to truncate the packet you will have to set the snaplen 
to a smaller number.

> I have some content only rules that are not alerting when I added the pcre tests.  I suspect trying to analyze all 
> sessions and all bytes for a dozen different patterns is a bit much to ask of Snort.

If you posted your rules and the pcap we could help better.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!