[Snort-devel] Snort decoder

Ron Sal nsamurain at ...2499...
Mon Jan 26 08:50:16 EST 2015

I have allready looked at that option and i have configured it for 0 - unlimited... Snort.log says that i decoded same amount of bytes as the attached file is...

So i do not think that is the problem but sounds like some kind of buffer issue... Maybe a buffer that keeps track of some pointer... So if distance is to far it do not work... Please help me out here....

Sent from my iPhone

> On 26/01/2015, at 14.31, Al Lewis (allewi) <allewi at ...3461...> wrote:
> Base64 depth can be set under each preprocessor. In general "-1" disables it ,0 sets it to unlimited. Anything between 1-65535 sets it to a specific depth. See the manual for an example here:
> http://manual.snort.org/node17.html
> From the manual on the smtp preprocessor section:
> b64_decode_depth 
> This config option is used to turn off/on or set the base64 decoding depth used to decode the base64 encoded MIME attachments. The value ranges from -1 to 65535. A value of -1 turns off the base64 decoding of MIME attachments. The value of 0 sets the decoding of base64 encoded MIME attachments to unlimited. A value other than 0 or -1 restricts the decoding of base64 MIME attachments, and applies per attachment. A SMTP preprocessor alert with sid 10 is generated (if enabled) when the decoding fails.
> Hope this helps.
> Albert Lewis
> QA Software Engineer
> SOURCEfire, Inc. now part of Cisco
> 9780 Patuxent Woods Drive
> Columbia, MD 21046 
> Phone: (office) 443.430.7112
> Email: allewi at ...3461... 
> -----Original Message-----
> From: Ron Sal [mailto:nsamurain at ...2499...] 
> Sent: Monday, January 26, 2015 8:21 AM
> To: snort-devel at lists.sourceforge.net
> Subject: [Snort-devel] Snort decoder
>> my problem is that if i want to match on multiple content within the
>> base64 decoded data ( done by preprocessor, file_data) its like there 
>> is a limit for maximum distance between the contents.
>> 2 content with 10024 bytes between and that is not working but 2 
>> content with 2016 between is working Is there a limit? can i read 
>> about it? is it configurable?
> /Ronnie
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> Please visit http://blog.snort.org for the latest news about Snort!

More information about the Snort-devel mailing list