[Snort-devel] Content across multiple packets Not detected by Snort
easyeinfo at ...398...
Fri Apr 23 02:00:14 EDT 2004
I am working with snort from the last 3 weeks. I am using Snort 2.1.0 for content monitoring.
My problem is that if the content I am monitoring is splitted across two packets then Snort is not detecting it.
In my configuration file I have enabled stream4 and stream4_reassemble.
my snort.conf file
preprocessor stream4: detect_scans, disable_evasion_alerts, log_flushed_streams
preprocessor stream4_reassemble : clientonly, ports 25 80 3131
my rule file
alert tcp any any -> any any (content: "Hello World"; msg: "Got the message"; nocase;)
But still it is not detecting my content "Hello World" if it is splitted in two packets.
Earlier I thought Stream4 is not working so I debugged it.... But stream4 is working fine... It is enabled and it is forming the Session tree (splay tree). But in the Detection engine only packets are sent not the Session tree or the assembled packet......
So you people please guide me where am I going wrong. Am I looking in the right place (stream4).
Thanks in advance
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25¢
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel