Re: Have difference sig detection in Snort 2.9.1.2 and above 2.9.3.

[Kiryukhin Andrey <andrei_1980 () mail ru>]

 waldo kitty  wrote:
> how big is each packet in the pcap that should be triggering the rule?
> i'm thinking that it may be due to packet reassembly but that's a pure eWAG...

 Thanks for replay! It point me to right way. 
My problem was in that really in some session shellcode was split in two packets (i made this mix of session some years 
ago, and forgot how i do it), and target port does not present in stream preprocessor.

Maybe it was bug in snort 2.9.1, because it reassemble session, without declaration port in stream preprocessor.

Best Regards, Kiryukhin Andrey

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!