Snort mailing list archives
Effect of stream4 on rules
From: "Oliver Dain" <odain () ll mit edu>
Date: Wed, 30 Jan 2002 18:25:32 -0500
If I use the stream4 stream reassembly pre-processor what do the rules "see". I would assume they would see the reassembled stream so that if my rule contained 'content: "hacker"' and "hack" was sent in one packet and "er" was sent in the next packet my rule would still match. However, I'm not clear on how rules that include things like ttl, tcp flags, etc. match since what is passed to the rules is now the concatenation of multiple packets. Does anybody know how this works? +-----------------------------------------------------------------------+ | Oliver Dain | voice: (781) 981-4788 | | Information Systems Technology Group | e-mail: odain () sst ll mit edu | | MIT Lincoln Laboratory | web: http://www.ll.mit.edu/IST | | 244 Wood Street | | | Lexington, MA 02420-9185 | | +-----------------------------------------------------------------------+ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Effect of stream4 on rules Oliver Dain (Jan 30)