Snort mailing list archives
(no subject)
From: Hema Krishnamurthy <hemasreeram () yahoo com>
Date: Wed, 12 Jan 2005 09:17:17 -0800 (PST)
Hi, Can someone please explain to me this comment in fpdetect.c? PKT_REBUILT_STREAM packets are re-injected streams. This means ** that the "packet headers" are completely bogus and only the ** content matches are important. So for PKT_REBUILT_STREAMs, we ** don't inspect against no-content OTNs since these deal with ** packet headers, packet sizes, etc. ** ** NOTE: ** This has been changed when evaluating no-content rules because ** it was interfering with the pass->alert ordering. We still ** need to check no-contents against rebuilt packets, because of ** this problem. Immediate solution is to have the detection plugins ** bail if the rule should only be inspected against packets, a.k.a ** dsize checks. Thanks __________________________________ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (no subject) Hema Krishnamurthy (Jan 12)
- <Possible follow-ups>
- (no subject) Hernan Nuñez (Jan 13)
- (no subject) James Affeld (Mar 08)