Snort mailing list archives
Re: Limits of Snort TCP reconstruction
From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Thu, 31 Aug 2017 14:59:36 +0000
If the limit is reached and its not found.. I wouldn’t expect to see an alert. The size of the data held can be set and should be explained in the readme. Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com On 8/31/17, 10:55 AM, "tom.barbette () ulg ac be" <tom.barbette () ulg ac be> wrote:
Hi Albert, Thanks for your quick answer. However this documentation is very much limited. Let's say the first limit reached is a limit of 5 segments. My attack starts at segment 5. As the limit is reached, it is not found. Then segment 6 arrives with the end of the attack. What happens? I specifically consider inline mode. I guess the stream will not be held for the default max window of 65536 << 14 bytes, right? Thanks, Tom ----- Mail original -----De: "Al Lewis (allewi)" <allewi () cisco com> À: "tom barbette" <tom.barbette () ulg ac be>, snort-users () lists snort org Envoyé: Jeudi 31 Août 2017 16:44:20 Objet: Re: [Snort-users] Limits of Snort TCP reconstructionTake a look at the README.stream5 included in the download. Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com On 8/31/17, 10:37 AM, "Snort-users on behalf of tom.barbette () ulg ac be" <snort-users-bounces () lists snort org on behalf of tom.barbette () ulg ac be> wrote:Hi list, I read a lot of documentation, but it is still not clear to me what are the limitations of the Snort TCP reconstruction. It seems that when creating a rule which match on TCP payload, it will match the payload across multiple packets. But what's the limit in term of number of packets here? E.g. If I want to match on "<script>.*</script>" in HTTP payload, would Snort fail to match if ".*" is actually big enough? If someone can link me to some more documentation, or help me understand the limits, that would be great. Thanks, Tom _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Limits of Snort TCP reconstruction tom . barbette (Aug 31)
- <Possible follow-ups>
- Re: Limits of Snort TCP reconstruction Al Lewis (allewi) via Snort-users (Aug 31)
- Re: Limits of Snort TCP reconstruction tom . barbette (Aug 31)
- Re: Limits of Snort TCP reconstruction Al Lewis (allewi) via Snort-users (Aug 31)
- Re: Limits of Snort TCP reconstruction Geoff Serrao via Snort-users (Aug 31)
- Re: Limits of Snort TCP reconstruction tom . barbette (Sep 01)
- Re: Limits of Snort TCP reconstruction Russ via Snort-users (Sep 01)
- Re: Limits of Snort TCP reconstruction tom . barbette (Aug 31)