[Snort-devel] dsize broken in snort 2 (and possibly 1.9.x)

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Tue Oct 29 12:58:13 EST 2002


Here it is:

tcp any any -> any any (msg:"LOCAL Someone email rule";
content:"some.user at ...1167..."; nocase; flow:established; dsize: >200;
classtype:string-detect; sid:9999; rev:1;)

-----Original Message-----
From: Chris Green [mailto:cmg at ...835...] 
Sent: Tuesday, October 29, 2002 2:52 PM
To: Kreimendahl, Chad J
Cc: snort-devel at lists.sourceforge.net; snort-users at lists.sourceforge.net
Subject: Re: [Snort-devel] dsize broken in snort 2 (and possibly 1.9.x)


"Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...> writes:

> It appears that in at least v2 of snort that dsize is not working for
> any rule that uses it.  Anyone else experienced this?

dsize should not be used for things coming out of the stream
reassembler and the sig set needs to be audited for things that rely
on it.

Do you have an example packet that you are expecting to see go off?
-- 
Chris Green <cmg at ...402...>
This is my signature. There are many like it but this one is mine.




More information about the Snort-devel mailing list