Snort mailing list archives
Re: Limits of Snort TCP reconstruction
From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Thu, 31 Aug 2017 14:44:20 +0000
Take a look at the README.stream5 included in the download. Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com On 8/31/17, 10:37 AM, "Snort-users on behalf of tom.barbette () ulg ac be" <snort-users-bounces () lists snort org on behalf of tom.barbette () ulg ac be> wrote:
Hi list, I read a lot of documentation, but it is still not clear to me what are the limitations of the Snort TCP reconstruction. It seems that when creating a rule which match on TCP payload, it will match the payload across multiple packets. But what's the limit in term of number of packets here? E.g. If I want to match on "<script>.*</script>" in HTTP payload, would Snort fail to match if ".*" is actually big enough? If someone can link me to some more documentation, or help me understand the limits, that would be great. Thanks, Tom _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Limits of Snort TCP reconstruction tom . barbette (Aug 31)
- <Possible follow-ups>
- Re: Limits of Snort TCP reconstruction Al Lewis (allewi) via Snort-users (Aug 31)
- Re: Limits of Snort TCP reconstruction tom . barbette (Aug 31)
- Re: Limits of Snort TCP reconstruction Al Lewis (allewi) via Snort-users (Aug 31)
- Re: Limits of Snort TCP reconstruction Geoff Serrao via Snort-users (Aug 31)
- Re: Limits of Snort TCP reconstruction tom . barbette (Sep 01)
- Re: Limits of Snort TCP reconstruction Russ via Snort-users (Sep 01)
- Re: Limits of Snort TCP reconstruction tom . barbette (Aug 31)