Snort mailing list archives
flowbits together with stream4_reassemble question
From: "Per Kristian Johnsen" <per.kristian.johnsen () proseq no>
Date: Mon, 7 Jun 2004 12:08:20 +0200
Hi, I'm trying to write a set of signatures for detecting mass-mailing activity. The sigs are depending on each other by using the flowbits option to keep track of the state in the SMTP protocol. I'm also using the preprocessor stream4_reassemble for port 25, and here's where my problems begins: Only the first sig in my state-based signature set will ever trigger, and I think this is caused by the stream4_reassemble preprosessor making one big "pseudo-packet" that is exposed to the signature set only once. Does my assumptions make sense? Anyone else having problems with combining the flowbits functionality with the stream4_reassemble preprosessor? Regards, Per Kristian ------------------------------------------------------- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- flowbits together with stream4_reassemble question Per Kristian (Jun 07)
- <Possible follow-ups>
- flowbits together with stream4_reassemble question Per Kristian Johnsen (Jun 09)
- flowbits together with stream4_reassemble question Per Kristian Johnsen (Jun 09)