Re: Snort decoder

[Ron Sal <nsamurain () gmail com>]

I have allready looked at that option and i have configured it for 0 - unlimited... Snort.log says that i decoded same 
amount of bytes as the attached file is...

So i do not think that is the problem but sounds like some kind of buffer issue... Maybe a buffer that keeps track of 
some pointer... So if distance is to far it do not work... Please help me out here....

Sent from my iPhone

> On 26/01/2015, at 14.31, Al Lewis (allewi) <allewi () cisco com> wrote:
>
> Base64 depth can be set under each preprocessor. In general "-1" disables it ,0 sets it to unlimited. Anything 
> between 1-65535 sets it to a specific depth. See the manual for an example here:
>
> http://manual.snort.org/node17.html
>
>
> From the manual on the smtp preprocessor section:
>
> b64_decode_depth 
> This config option is used to turn off/on or set the base64 decoding depth used to decode the base64 encoded MIME 
> attachments. The value ranges from -1 to 65535. A value of -1 turns off the base64 decoding of MIME attachments. The 
> value of 0 sets the decoding of base64 encoded MIME attachments to unlimited. A value other than 0 or -1 restricts 
> the decoding of base64 MIME attachments, and applies per attachment. A SMTP preprocessor alert with sid 10 is 
> generated (if enabled) when the decoding fails.
>
>
> Hope this helps.
>
> Albert Lewis
> QA Software Engineer
> SOURCEfire, Inc. now part of Cisco
> 9780 Patuxent Woods Drive
> Columbia, MD 21046 
> Phone: (office) 443.430.7112
> Email: allewi () cisco com 
>
> -----Original Message-----
> From: Ron Sal [mailto:nsamurain () gmail com] 
> Sent: Monday, January 26, 2015 8:21 AM
> To: snort-devel () lists sourceforge net
> Subject: [Snort-devel] Snort decoder
>
>
> > my problem is that if i want to match on multiple content within the
> > base64 decoded data ( done by preprocessor, file_data) its like there 
> > is a limit for maximum distance between the contents.
> >
> > 2 content with 10024 bytes between and that is not working but 2 
> > content with 2016 between is working Is there a limit? can i read 
> > about it? is it configurable?
>
> /Ronnie
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership 
> with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs 
> to news, videos, case studies, tutorials and more. Take a look and join the conversation now. 
> http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!