[Snort-devel] Content across multiple packets Not detected by Snort

Dennis George easyeinfo at ...398...
Sun Apr 25 02:50:03 EDT 2004


Hi Jason,

>> Is the content being sent from the client side of 
>>the connection, the one that initiated the stream 
>>using a SYN? 
 Yes 
>>  Is it on one of the ports 25, 80, 3131?
 yes

More over I like to say to abhijit that my contents
are in two packets (not fragmented)

Dennis


--- Jason <security at ...1585...> wrote:
> There are a few other things to consider as well
> depending on the case 
> you are testing but I would look at this first. Is
> the content being 
> sent from the client side of the connection, the one
> that initiated the 
> stream using a SYN? Is it on one of the ports 25,
> 80, 3131? Your stream 
> config is only reassembling streams from clients on
> the ports 25 80 3131
> 
> 
> Dennis George wrote:
> 
> > Hi Abhijit,
> >  
> > I am not talking about packet fragmentation. I
> will give you a scenario.... When you send a huge
> data.. the data cannot be sent in a single packet
> but in multiple packets.... thus if your key word is
> splitted in two packets then snort is not detecting
> it......
> >  
> > frag2 is for fragmentation (a single packet
> splitted in many fragments)
> >  
> > And Sorry I didn't find anything like
> tcp_reassemble in snort.... I searched the internet
> also....
> > Is it supported in Snort 2.1.0 ?????
> >  
> > Thanks and Regards
> > Dennis
> > 



	
		
__________________________________
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25¢
http://photos.yahoo.com/ph/print_splash




More information about the Snort-devel mailing list