[Snort-devel] content-rule not matching with no_stream_inserts on 1st packet

Florian Westphal florian.westphal at ...3285...
Wed Sep 25 12:30:15 EDT 2013


Snort 2.9.5.3. A simple rule like:

alert tcp any any -> any any (msg:"Foobar"; content:"foobar"; sid:12345;)

Does not match if all of the following conditions hold:

- connection is not being reassembled (ports are not listed in stream5 config)
- "config detection: no_stream_inserts" is enabled in snort.conf
- the pattern appears in the first data packet

The first packet still has "PKT_STREAM_INSERT" flag set, which is why
fpEvalHeaderSW() skips it.  But no reassembled packet will ever be sent
to the detection engine.  This is no longer the case for subsequent
packets, so if the content appears in later packet the alert is
triggered.

The rule will fire with the attached pcap even in the above config
when I add a Stream5FlushTalker() to AutoDiable() in
src/preprocessors/Stream5/snort_stream5_tcp.c.

It would be nice if this could be fixed in a future release of snort.

Thanks,
Florian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: foobar.pcap
Type: application/octet-stream
Size: 703 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130925/c5dfabaa/attachment.obj>


More information about the Snort-devel mailing list