flowbits together with stream4_reassemble question

["Per Kristian Johnsen" <pkjohnse () start no>]

Hi,

I'm trying to write a set of signatures for detecting mass-mailing activity.
The sigs are depending on each other by using the flowbits option to keep
track of the state in the SMTP protocol. I'm also using the preprocessor
stream4_reassemble for port 25, and here's where my problems begins:

Only the first sig in my state-based signature set will ever trigger, and I
think this is caused by the stream4_reassemble preprosessor making one big
"pseudo-packet" that is exposed to the signature set only once. Does my
assumptions make sense? Anyone else having problems with combining the
flowbits functionality with the stream4_reassemble preprosessor?

Regards,
Per Kristian





-------------------------------------------------------
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users