[Snort-devel] snort-220.127.116.11 problem imap, pop, smtp paf reassembly
Carter Waxman (cwaxman)
cwaxman at ...3461...
Fri Apr 4 10:22:53 EDT 2014
Thank you for reporting this. We are aware of this issue and it should be fixed in upcoming releases.
From: Mitesh Jadia <mitesh.jadia at ...2499...<mailto:mitesh.jadia at ...2499...>>
Date: Friday, April 4, 2014 4:11 AM
To: "Snort-devel at lists.sourceforge.net<mailto:Snort-devel at ...362....net>" <Snort-devel at lists.sourceforge.net<mailto:Snort-devel at ...2763...rge.net>>
Cc: Joel Esler <jesler at ...402...<mailto:jesler at ...402...>>
Subject: [Snort-devel] snort-18.104.22.168 problem imap,pop,smtp paf reassembly
I found one strange behavior in imap,pop,smtp reassembly when mail has attachment with mime content-transfer-encoding = 7bit.
configuration of paf_max is 16000 and the file has content of plain text(file-size : 64kb). Ideally I should get reassembled packet when paf limit is reached or EOF is reached. But I am getting reassembled packet of 1460 bytes after each packet from server(Imap case).
I debugged the code and found the problem with mime_paf function in file-process utility. It find \r\n in normal text file and flushes the packet.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel