Re: Matching overlapping TCP data segments with differing data

[Yun Zheng Hu via Snort-sigs <snort-sigs () lists snort org>]

Hi,

I made some patches for Snort to support this in the past.

You can find the original patches and other reference material here:

https://github.com/fox-it/quantuminsert

Regards,
Yun

> On 25 Sep 2019, at 14:30, Peter Maynard via Snort-sigs <snort-sigs () lists snort org> wrote:
>
> Hello,
>
> I'm looking to create a signature that is able to match on overlapping
> TCP data segments that have different data.  
>
> The reason being for detecting man-on-the-side attacks [1]. This has
> been implmenting within suricata [2] and was wondering if this were
> possibile within SNORT?
>
> Kind Regards, 
> Pete
>
> [1] https://en.wikipedia.org/wiki/Man-on-the-side_attack
> [2] h
> ttps://github.com/OISF/suricata/commit/6f76ac176d70d85fa2a5719dacdc8fef0ef074dc
>
>
> -- 
> Pete Maynard 
> Center for Secure Information Technologies
> Queen's University Belfast
> GPG: 0xABB8D69D
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
> href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!