Snort mailing list archives

Re: content: Rule won't match on packet over 1443 Bytes

From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Fri, 16 Nov 2018 08:40:50 +0000

Do you have a copy of the pcap that you can share?


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco com<mailto:allewi () cisco com>


From: Snort-users <snort-users-bounces () lists snort org> on behalf of phez asap via Snort-users <snort-users () lists 
snort org>
Reply-To: phez asap <phez.asap () gmail com>
Date: Friday, November 16, 2018 at 1:33 AM
To: "snort-users () lists snort org" <snort-users () lists snort org>
Subject: [Snort-users] content: Rule won't match on packet over 1443 Bytes

Hi All
I ran into an interesting issue that I can not figure out. I have a basic string content match  (size:Four characters) 
that works perfectly as long the packet data does not exceed 1443 bytes. if the packet data is 1444 it does not work.

The packets are vlan tagged but that does not seem to be causing the issue.

The test setup:

Snort rule:
alert tcp any any <> any 5000 (msg:"test message";content:"g5Ag";sid:10000009;rev:1;)

Generating text buffer:

Client side (This works)
/usr/share/metasploit-framework/tools/exploits/pattern_create.rb -l 1443 | nc 192.168.100.4 5000

Client side (This does not work)
/usr/share/metasploit-framework/tools/exploits/pattern_create.rb -l 1444 | nc 192.168.100.4 5000

Server side:
nc -l -p 5000


What I have tried:

I thought maybe it was when the data split into two packets so took a look in Wireshark but thats (at 1447). Don't 
think that is causing it.

Tried writing the rule with a flow statement (I did not think it would work with flow if it did not work without it but 
tried it anyway). I added port 5000 to the  stream processor ports client. No luck

Any ideas on what might be going on here?

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

content: Rule won't match on packet over 1443 Bytes phez asap via Snort-users (Nov 15)
- Re: content: Rule won't match on packet over 1443 Bytes Al Lewis (allewi) via Snort-users (Nov 16)