content-rule not matching with no_stream_inserts on 1st packet

[Florian Westphal <florian.westphal () sophos com>]

Snort 2.9.5.3. A simple rule like:

alert tcp any any -> any any (msg:"Foobar"; content:"foobar"; sid:12345;)

Does not match if all of the following conditions hold:

- connection is not being reassembled (ports are not listed in stream5 config)
- "config detection: no_stream_inserts" is enabled in snort.conf
- the pattern appears in the first data packet

The first packet still has "PKT_STREAM_INSERT" flag set, which is why
fpEvalHeaderSW() skips it.  But no reassembled packet will ever be sent
to the detection engine.  This is no longer the case for subsequent
packets, so if the content appears in later packet the alert is
triggered.

The rule will fire with the attached pcap even in the above config
when I add a Stream5FlushTalker() to AutoDiable() in
src/preprocessors/Stream5/snort_stream5_tcp.c.

It would be nice if this could be fixed in a future release of snort.

Thanks,
Florian

Attachment: foobar.pcap
Description:

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!