[Snort-devel] stream4 vs. dsize: how to spot an overflow?

Matthew Callaway matt-snort at ...806...
Wed Apr 30 14:57:29 EDT 2003


There are many signatures that are designed to spot buffer overflows.
It appears that dsize is the option that was designed to spot such
attacks, since they often require > N bytes.  But the last line of the
dsize description says, "These tests always will fail on stream rebuilt
packets."

Then there's the "flow" option, which has the "no_stream" and
"only_stream" options.  In the manual, the "no_stream" option has a
note, "useful for dsize and stream4".

This is not particularly clear.  If I split an attack over multiple tcp
packets, we don't see it.

The question I have is, "How, specifically, does one detect a
reassembled stream of minimum size N?"

One way was to use regex (which works with 1.9.1):

content: "?"; offset: 800; regex;

What does one do in 2.0?

Thanks,

Matt




More information about the Snort-devel mailing list