RE: [Snort-devel] dsize broken in snort 2 (and possibly 1.9.x)

["Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>]

And another rule:

web-misc.rules:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
long basic authorization string"; flow:to_server,established;
content:"Authorization\: Basic "; nocase; dsize:>1000;
classtype:attempted-dos; reference:bugtraq,3230; sid:1260; rev:5;)

-----Original Message-----
From: Chris Green [mailto:cmg () snort org] 
Sent: Tuesday, October 29, 2002 2:52 PM
To: Kreimendahl, Chad J
Cc: snort-devel () lists sourceforge net; snort-users () lists sourceforge net
Subject: Re: [Snort-devel] dsize broken in snort 2 (and possibly 1.9.x)


"Kreimendahl, Chad J" <Chad.Kreimendahl () umb com> writes:

> It appears that in at least v2 of snort that dsize is not working for
> any rule that uses it.  Anyone else experienced this?

dsize should not be used for things coming out of the stream
reassembler and the sig set needs to be audited for things that rely
on it.

Do you have an example packet that you are expecting to see go off?
-- 
Chris Green <cmg () sourcefire com>
This is my signature. There are many like it but this one is mine.


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users