[Snort-devel] [ snort-Bugs-733411 ] No mechanism to detect minimum stream size

SourceForge.net noreply at ...12...
Wed May 7 07:37:05 EDT 2003


Bugs item #733411, was opened at 2003-05-06 10:26
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=103357&aid=733411&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Nobody/Anonymous (nobody)
Summary: No mechanism to detect minimum stream size

Initial Comment:
There is no facility to specify minimum stream size in
relation to the stream4 preprocessor.

It appears that dsize is the option that was designed
to spot such attacks, since they often require > N
bytes.  But the last line of the dsize description
says, "These tests always will fail on stream rebuilt
packets."

The "flow" option has the "no_stream" and "only_stream"
options.  In the manual, the "no_stream" option has a
note, "useful for dsize and stream4". This is not
particularly clear.  If I split an attack over multiple
tcp packets, we don't see it.

There should be a facility for matching minimum stream
size + content.  This would make buffer overflow
signatures much more effective.

One way was to use regex (which works with 1.9.1):

content: "?"; offset: 800; regex;

But this is removed in 2.0.

Submitted by:
matt-snort (at) securepipe (dot) com

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=103357&aid=733411&group_id=3357




More information about the Snort-devel mailing list