Snort mailing list archives

Re: snort-2.9.6.0 problem imap, pop, smtp paf reassembly

From: "Carter Waxman (cwaxman)" <cwaxman () cisco com>
Date: Fri, 4 Apr 2014 14:22:53 +0000

Hello,

Thank you for reporting this. We are aware of this issue and it should be fixed in upcoming releases.

Thank you,
Carter

From: Mitesh Jadia <mitesh.jadia () gmail com<mailto:mitesh.jadia () gmail com>>
Date: Friday, April 4, 2014 4:11 AM
To: "Snort-devel () lists sourceforge net<mailto:Snort-devel () lists sourceforge net>" <Snort-devel () lists 
sourceforge net<mailto:Snort-devel () lists sourceforge net>>
Cc: Joel Esler <jesler () sourcefire com<mailto:jesler () sourcefire com>>
Subject: [Snort-devel] snort-2.9.6.0 problem imap,pop,smtp paf reassembly

Hello,

I found one strange behavior in imap,pop,smtp reassembly when mail has attachment with mime content-transfer-encoding = 
7bit.
configuration of paf_max is 16000 and the file has content of plain text(file-size : 64kb). Ideally I should get 
reassembled packet when paf limit is reached or EOF is reached. But I am getting reassembled packet of 1460 bytes after 
each packet from server(Imap case).

I debugged the code and found the problem with mime_paf function in file-process utility. It find \r\n in normal text 
file and flushes the packet.

Regards,
Mitesh Jadia

------------------------------------------------------------------------------

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

snort-2.9.6.0 problem imap,pop,smtp paf reassembly Mitesh Jadia (Apr 04)
- Re: snort-2.9.6.0 problem imap, pop, smtp paf reassembly Carter Waxman (cwaxman) (Apr 04)