[Snort-devel] snort- problem imap, pop, smtp paf reassembly

Carter Waxman (cwaxman) cwaxman at ...3461...
Fri Apr 4 10:22:53 EDT 2014


Thank you for reporting this. We are aware of this issue and it should be fixed in upcoming releases.

Thank you,

From: Mitesh Jadia <mitesh.jadia at ...2499...<mailto:mitesh.jadia at ...2499...>>
Date: Friday, April 4, 2014 4:11 AM
To: "Snort-devel at lists.sourceforge.net<mailto:Snort-devel at ...362....net>" <Snort-devel at lists.sourceforge.net<mailto:Snort-devel at ...2763...rge.net>>
Cc: Joel Esler <jesler at ...402...<mailto:jesler at ...402...>>
Subject: [Snort-devel] snort- problem imap,pop,smtp paf reassembly


I found one strange behavior in imap,pop,smtp reassembly when mail has attachment with mime content-transfer-encoding = 7bit.
configuration of paf_max is 16000 and the file has content of plain text(file-size : 64kb). Ideally I should get reassembled packet when paf limit is reached or EOF is reached. But I am getting reassembled packet of 1460 bytes after each packet from server(Imap case).

I debugged the code and found the problem with mime_paf function in file-process utility. It find \r\n in normal text file and flushes the packet.

Mitesh Jadia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140404/d1b118e9/attachment.html>

More information about the Snort-devel mailing list