Snort mailing list archives

Re: Limits of Snort TCP reconstruction

From: tom.barbette () ulg ac be
Date: Thu, 31 Aug 2017 16:55:32 +0200 (CEST)

Hi Albert,

Thanks for your quick answer. However this documentation is very much limited.

Let's say the first limit reached is a limit of 5 segments. My attack starts at segment 5. As the limit is reached, it 
is not found. Then segment 6 arrives with the end of the attack. What happens?

I specifically consider inline mode. I guess the stream will not be held for the default max window of 65536 << 14 
bytes, right?

Thanks,
Tom


----- Mail original -----

De: "Al Lewis (allewi)" <allewi () cisco com>
À: "tom barbette" <tom.barbette () ulg ac be>, snort-users () lists snort org
Envoyé: Jeudi 31 Août 2017 16:44:20
Objet: Re: [Snort-users] Limits of Snort TCP reconstruction

Take a look at the README.stream5 included in the download.



Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com








On 8/31/17, 10:37 AM, "Snort-users on behalf of tom.barbette () ulg ac be"
<snort-users-bounces () lists snort org on behalf of tom.barbette () ulg ac be>
wrote:

Hi list,

I read a lot of documentation, but it is still not clear to me what are the
limitations of the Snort TCP reconstruction. It seems that when creating a rule
which match on TCP payload, it will match the payload across multiple packets.
But what's the limit in term of number of packets here?

E.g. If I want to match on "<script>.*</script>" in HTTP payload, would Snort
fail to match if ".*" is actually big enough?

If someone can link me to some more documentation, or help me understand the
limits, that would be great.

Thanks,

Tom
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Limits of Snort TCP reconstruction tom . barbette (Aug 31)
- <Possible follow-ups>
- Re: Limits of Snort TCP reconstruction Al Lewis (allewi) via Snort-users (Aug 31)
  - Re: Limits of Snort TCP reconstruction tom . barbette (Aug 31)
    - Re: Limits of Snort TCP reconstruction Al Lewis (allewi) via Snort-users (Aug 31)
    - Re: Limits of Snort TCP reconstruction Geoff Serrao via Snort-users (Aug 31)
    - Re: Limits of Snort TCP reconstruction tom . barbette (Sep 01)
    - Re: Limits of Snort TCP reconstruction Russ via Snort-users (Sep 01)