Snort mailing list archives
Re: content-rule not matching with no_stream_inserts on 1st packet
From: Hui Cao <hcao () sourcefire com>
Date: Wed, 25 Sep 2013 15:40:44 -0400
Hi Florian, Thanks for reporting this issue. We are looking into this. Best, Huil On Wed, Sep 25, 2013 at 12:30 PM, Florian Westphal <florian.westphal () sophos com> wrote:
Snort 2.9.5.3. A simple rule like: alert tcp any any -> any any (msg:"Foobar"; content:"foobar"; sid:12345;) Does not match if all of the following conditions hold: - connection is not being reassembled (ports are not listed in stream5 config) - "config detection: no_stream_inserts" is enabled in snort.conf - the pattern appears in the first data packet The first packet still has "PKT_STREAM_INSERT" flag set, which is why fpEvalHeaderSW() skips it. But no reassembled packet will ever be sent to the detection engine. This is no longer the case for subsequent packets, so if the content appears in later packet the alert is triggered. The rule will fire with the attached pcap even in the above config when I add a Stream5FlushTalker() to AutoDiable() in src/preprocessors/Stream5/snort_stream5_tcp.c. It would be nice if this could be fixed in a future release of snort. Thanks, Florian ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- content-rule not matching with no_stream_inserts on 1st packet Florian Westphal (Sep 25)
- Re: content-rule not matching with no_stream_inserts on 1st packet Hui Cao (Sep 25)