Snort mailing list archives
Re: Limits of Snort TCP reconstruction
From: tom.barbette () ulg ac be
Date: Thu, 31 Aug 2017 16:55:32 +0200 (CEST)
Hi Albert, Thanks for your quick answer. However this documentation is very much limited. Let's say the first limit reached is a limit of 5 segments. My attack starts at segment 5. As the limit is reached, it is not found. Then segment 6 arrives with the end of the attack. What happens? I specifically consider inline mode. I guess the stream will not be held for the default max window of 65536 << 14 bytes, right? Thanks, Tom ----- Mail original -----
De: "Al Lewis (allewi)" <allewi () cisco com> À: "tom barbette" <tom.barbette () ulg ac be>, snort-users () lists snort org Envoyé: Jeudi 31 Août 2017 16:44:20 Objet: Re: [Snort-users] Limits of Snort TCP reconstruction
Take a look at the README.stream5 included in the download. Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com On 8/31/17, 10:37 AM, "Snort-users on behalf of tom.barbette () ulg ac be" <snort-users-bounces () lists snort org on behalf of tom.barbette () ulg ac be> wrote:Hi list, I read a lot of documentation, but it is still not clear to me what are the limitations of the Snort TCP reconstruction. It seems that when creating a rule which match on TCP payload, it will match the payload across multiple packets. But what's the limit in term of number of packets here? E.g. If I want to match on "<script>.*</script>" in HTTP payload, would Snort fail to match if ".*" is actually big enough? If someone can link me to some more documentation, or help me understand the limits, that would be great. Thanks, Tom _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Limits of Snort TCP reconstruction tom . barbette (Aug 31)
- <Possible follow-ups>
- Re: Limits of Snort TCP reconstruction Al Lewis (allewi) via Snort-users (Aug 31)
- Re: Limits of Snort TCP reconstruction tom . barbette (Aug 31)
- Re: Limits of Snort TCP reconstruction Al Lewis (allewi) via Snort-users (Aug 31)
- Re: Limits of Snort TCP reconstruction Geoff Serrao via Snort-users (Aug 31)
- Re: Limits of Snort TCP reconstruction tom . barbette (Sep 01)
- Re: Limits of Snort TCP reconstruction Russ via Snort-users (Sep 01)
- Re: Limits of Snort TCP reconstruction tom . barbette (Aug 31)