[Snort-devel] problem with stream reassembly

antonat antonat at ...1996...
Thu Jul 15 10:19:00 EDT 2004


I have a tcpdump trace containing packets from a "wget" I did on o local
web server. The page I asked is around 4k. When I perform tcp reassembly
(on both sides) using stream4 I get a reassembled packet but does not
contain the whole page ( a packet is missing from the reassembly , I can
detect a string that is located half in the 1st and half in the 2nd packet
of the page but not a string between 2nd and 3rd packet). I am using Snort
2.2.0RC1. The configuration file (containing the string I cannot detect)
as well as the trace are attached.

thanks in advance,
Antonatos Spiros
-------------- next part --------------
A non-text attachment was scrubbed...
Name: webtrace.dump
Type: application/octet-stream
Size: 6296 bytes
Desc: 
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20040715/437756b0/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tmp.conf
Type: application/octet-stream
Size: 686 bytes
Desc: 
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20040715/437756b0/attachment-0001.obj>


More information about the Snort-devel mailing list