[Snort-devel] content-rule not matching with no_stream_inserts on 1st packet

Hui Cao hcao at ...402...
Wed Sep 25 15:40:44 EDT 2013


Hi Florian,

Thanks for reporting this issue. We are looking into this.

Best,
Huil

On Wed, Sep 25, 2013 at 12:30 PM, Florian Westphal
<florian.westphal at ...3285...> wrote:
> Snort 2.9.5.3. A simple rule like:
>
> alert tcp any any -> any any (msg:"Foobar"; content:"foobar"; sid:12345;)
>
> Does not match if all of the following conditions hold:
>
> - connection is not being reassembled (ports are not listed in stream5 config)
> - "config detection: no_stream_inserts" is enabled in snort.conf
> - the pattern appears in the first data packet
>
> The first packet still has "PKT_STREAM_INSERT" flag set, which is why
> fpEvalHeaderSW() skips it.  But no reassembled packet will ever be sent
> to the detection engine.  This is no longer the case for subsequent
> packets, so if the content appears in later packet the alert is
> triggered.
>
> The rule will fire with the attached pcap even in the above config
> when I add a Stream5FlushTalker() to AutoDiable() in
> src/preprocessors/Stream5/snort_stream5_tcp.c.
>
> It would be nice if this could be fixed in a future release of snort.
>
> Thanks,
> Florian
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-devel mailing list