content: Rule won't match on packet over 1443 Bytes

[phez asap via Snort-users <snort-users () lists snort org>]

Hi All
I ran into an interesting issue that I can not figure out. I have a basic
string content match  (size:Four characters) that works perfectly as long
the packet data does not exceed 1443 bytes. if the packet data is 1444 it
does not work.

The packets are vlan tagged but that does not seem to be causing the issue.

*The test setup:*

*Snort rule:*
alert tcp any any <> any 5000 (msg:"test
message";content:"g5Ag";sid:10000009;rev:1;)

*Generating text buffer:*

Client side (This works)

/usr/share/metasploit-framework/tools/exploits/pattern_create.rb -l 1443 |
nc 192.168.100.4 5000

Client side (This does not work)
/usr/share/metasploit-framework/tools/exploits/pattern_create.rb -l 1444 |
nc 192.168.100.4 5000


Server side:

nc -l -p 5000



*What I have tried:*

I thought maybe it was when the data split into two packets so took a look
in Wireshark but thats (at 1447). Don't think that is causing it.

Tried writing the rule with a flow statement (I did not think it would work
with flow if it did not work without it but tried it anyway). I added port
5000 to the  stream processor ports client. No luck

Any ideas on what might be going on here?

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette