How snort handels contents divided in multiple packets?

[Hamza Ali via Snort-users <snort-users () lists snort org>]

Hello,

I am learning snort so sorry if its a very basic question. Consider the
rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC";
flow:to_server,established; content:"HELLO",depth 6; content:"MATE",depth
4,offset 7; sid:42129; rev:1; )

Basically, if "HELLO" and "MATE" are seen in the specified locations in the
same packet on the given four-tuple, the alert will trigger.

My question is what will happen if "HELLO" is sent in the first packet and
"MATE" is sent in the second packet. Since both contents have to be present
in the same packet according to the rule, the rule will not fire but the
message will be transmitted. How will snort deal with this scenario? Thanks

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette