Snort mailing list archives
content: Rule won't match on packet over 1443 Bytes
From: phez asap via Snort-users <snort-users () lists snort org>
Date: Fri, 16 Nov 2018 00:30:15 -0600
Hi All I ran into an interesting issue that I can not figure out. I have a basic string content match (size:Four characters) that works perfectly as long the packet data does not exceed 1443 bytes. if the packet data is 1444 it does not work. The packets are vlan tagged but that does not seem to be causing the issue. *The test setup:* *Snort rule:* alert tcp any any <> any 5000 (msg:"test message";content:"g5Ag";sid:10000009;rev:1;) *Generating text buffer:* Client side (This works) /usr/share/metasploit-framework/tools/exploits/pattern_create.rb -l 1443 | nc 192.168.100.4 5000 Client side (This does not work) /usr/share/metasploit-framework/tools/exploits/pattern_create.rb -l 1444 | nc 192.168.100.4 5000 Server side: nc -l -p 5000 *What I have tried:* I thought maybe it was when the data split into two packets so took a look in Wireshark but thats (at 1447). Don't think that is causing it. Tried writing the rule with a flow statement (I did not think it would work with flow if it did not work without it but tried it anyway). I added port 5000 to the stream processor ports client. No luck Any ideas on what might be going on here?
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- content: Rule won't match on packet over 1443 Bytes phez asap via Snort-users (Nov 15)
- Re: content: Rule won't match on packet over 1443 Bytes Al Lewis (allewi) via Snort-users (Nov 16)