Snort mailing list archives

snort-2.9.6.0 problem imap,pop,smtp paf reassembly

From: Mitesh Jadia <mitesh.jadia () gmail com>
Date: Fri, 4 Apr 2014 13:41:24 +0530

Hello,

I found one strange behavior in imap,pop,smtp reassembly when mail has
attachment with mime *content-transfer-encoding = 7bit. *
configuration of paf_max is 16000 and the file has content of plain
text(file-size : 64kb). Ideally I should get reassembled packet when paf
limit is reached or EOF is reached. But I am getting reassembled packet of
1460 bytes after each packet from server(Imap case).

I debugged the code and found the problem with mime_paf function in
file-process utility. It find \r\n in normal text file and flushes the
packet.


Regards,
Mitesh Jadia

------------------------------------------------------------------------------

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

snort-2.9.6.0 problem imap,pop,smtp paf reassembly Mitesh Jadia (Apr 04)
- Re: snort-2.9.6.0 problem imap, pop, smtp paf reassembly Carter Waxman (cwaxman) (Apr 04)