Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Effect of stream4 on rules

From: "Oliver Dain" <odain () ll mit edu>
Date: Wed, 30 Jan 2002 18:25:32 -0500
If I use the stream4 stream reassembly pre-processor what do the rules
"see". I would assume they would see the reassembled stream so that if
my rule contained 'content: "hacker"' and "hack" was sent in one
packet and "er" was sent in the next packet my rule would still match.
However, I'm not clear on how rules that include things like ttl, tcp
flags, etc. match since what is passed to the rules is now the
concatenation of multiple packets. Does anybody know how this works?

+-----------------------------------------------------------------------+
| Oliver Dain                          | voice:  (781) 981-4788         |
| Information Systems Technology Group | e-mail: odain () sst ll mit edu   |
| MIT Lincoln Laboratory               | web: http://www.ll.mit.edu/IST |
| 244 Wood Street                      |                                |
| Lexington, MA 02420-9185             |                                |
+-----------------------------------------------------------------------+


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: