[Snort-devel] Snort decoder

Al Lewis (allewi) allewi at ...3461...
Mon Jan 26 08:31:21 EST 2015


Base64 depth can be set under each preprocessor. In general "-1" disables it ,0 sets it to unlimited. Anything between 1-65535 sets it to a specific depth. See the manual for an example here:

http://manual.snort.org/node17.html


>From the manual on the smtp preprocessor section:

b64_decode_depth 
This config option is used to turn off/on or set the base64 decoding depth used to decode the base64 encoded MIME attachments. The value ranges from -1 to 65535. A value of -1 turns off the base64 decoding of MIME attachments. The value of 0 sets the decoding of base64 encoded MIME attachments to unlimited. A value other than 0 or -1 restricts the decoding of base64 MIME attachments, and applies per attachment. A SMTP preprocessor alert with sid 10 is generated (if enabled) when the decoding fails.


Hope this helps.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi at ...3461... 

-----Original Message-----
From: Ron Sal [mailto:nsamurain at ...2499...] 
Sent: Monday, January 26, 2015 8:21 AM
To: snort-devel at lists.sourceforge.net
Subject: [Snort-devel] Snort decoder


> my problem is that if i want to match on multiple content within the
> base64 decoded data ( done by preprocessor, file_data) its like there 
> is a limit for maximum distance between the contents.
> 
> 2 content with 10024 bytes between and that is not working but 2 
> content with 2016 between is working Is there a limit? can i read 
> about it? is it configurable?

/Ronnie

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-devel mailing list