[Snort-devel] content-rule not matching with no_stream_inserts on 1st packet
florian.westphal at ...3285...
Wed Sep 25 12:30:15 EDT 2013
Snort 188.8.131.52. A simple rule like:
alert tcp any any -> any any (msg:"Foobar"; content:"foobar"; sid:12345;)
Does not match if all of the following conditions hold:
- connection is not being reassembled (ports are not listed in stream5 config)
- "config detection: no_stream_inserts" is enabled in snort.conf
- the pattern appears in the first data packet
The first packet still has "PKT_STREAM_INSERT" flag set, which is why
fpEvalHeaderSW() skips it. But no reassembled packet will ever be sent
to the detection engine. This is no longer the case for subsequent
packets, so if the content appears in later packet the alert is
The rule will fire with the attached pcap even in the above config
when I add a Stream5FlushTalker() to AutoDiable() in
It would be nice if this could be fixed in a future release of snort.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 703 bytes
Desc: not available
More information about the Snort-devel