Snort mailing list archives
RE: [Snort-devel] dsize broken in snort 2 (and possibly 1.9.x)
From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
Date: Tue, 29 Oct 2002 14:57:54 -0600
Here it is: tcp any any -> any any (msg:"LOCAL Someone email rule"; content:"some.user () umb com"; nocase; flow:established; dsize: >200; classtype:string-detect; sid:9999; rev:1;) -----Original Message----- From: Chris Green [mailto:cmg () snort org] Sent: Tuesday, October 29, 2002 2:52 PM To: Kreimendahl, Chad J Cc: snort-devel () lists sourceforge net; snort-users () lists sourceforge net Subject: Re: [Snort-devel] dsize broken in snort 2 (and possibly 1.9.x) "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com> writes:
It appears that in at least v2 of snort that dsize is not working for any rule that uses it. Anyone else experienced this?
dsize should not be used for things coming out of the stream reassembler and the sig set needs to be audited for things that rely on it. Do you have an example packet that you are expecting to see go off? -- Chris Green <cmg () sourcefire com> This is my signature. There are many like it but this one is mine. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: [Snort-devel] dsize broken in snort 2 (and possibly 1.9.x) Kreimendahl, Chad J (Oct 29)
- Re: [Snort-devel] dsize broken in snort 2 (and possibly 1.9.x) Chris Green (Oct 29)
- <Possible follow-ups>
- RE: [Snort-devel] dsize broken in snort 2 (and possibly 1.9.x) Kreimendahl, Chad J (Oct 29)