[Snort-devel] Snort decoder

Al Lewis (allewi) allewi at ...3461...
Mon Jan 26 08:59:24 EST 2015


Search the manual for "PAF" and check your conf settings to see if the data is outside the flush point.

An example of your snort.conf / pcap would help as well.


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi at ...3461... 


-----Original Message-----
From: Ron Sal [mailto:nsamurain at ...2499...] 
Sent: Monday, January 26, 2015 8:50 AM
To: Al Lewis (allewi)
Cc: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] Snort decoder

I have allready looked at that option and i have configured it for 0 - unlimited... Snort.log says that i decoded same amount of bytes as the attached file is...

So i do not think that is the problem but sounds like some kind of buffer issue... Maybe a buffer that keeps track of some pointer... So if distance is to far it do not work... Please help me out here....

Sent from my iPhone

> On 26/01/2015, at 14.31, Al Lewis (allewi) <allewi at ...3461...> wrote:
> 
> Base64 depth can be set under each preprocessor. In general "-1" disables it ,0 sets it to unlimited. Anything between 1-65535 sets it to a specific depth. See the manual for an example here:
> 
> http://manual.snort.org/node17.html
> 
> 
> From the manual on the smtp preprocessor section:
> 
> b64_decode_depth
> This config option is used to turn off/on or set the base64 decoding depth used to decode the base64 encoded MIME attachments. The value ranges from -1 to 65535. A value of -1 turns off the base64 decoding of MIME attachments. The value of 0 sets the decoding of base64 encoded MIME attachments to unlimited. A value other than 0 or -1 restricts the decoding of base64 MIME attachments, and applies per attachment. A SMTP preprocessor alert with sid 10 is generated (if enabled) when the decoding fails.
> 
> 
> Hope this helps.
> 
> Albert Lewis
> QA Software Engineer
> SOURCEfire, Inc. now part of Cisco
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
> Phone: (office) 443.430.7112
> Email: allewi at ...3461...
> 
> -----Original Message-----
> From: Ron Sal [mailto:nsamurain at ...2499...]
> Sent: Monday, January 26, 2015 8:21 AM
> To: snort-devel at lists.sourceforge.net
> Subject: [Snort-devel] Snort decoder
> 
> 
>> my problem is that if i want to match on multiple content within the
>> base64 decoded data ( done by preprocessor, file_data) its like there 
>> is a limit for maximum distance between the contents.
>> 
>> 2 content with 10024 bytes between and that is not working but 2 
>> content with 2016 between is working Is there a limit? can i read 
>> about it? is it configurable?
> 
> /Ronnie
> 
> ----------------------------------------------------------------------
> -------- Dive into the World of Parallel Programming. The Go Parallel 
> Website, sponsored by Intel and developed in partnership with Slashdot 
> Media, is your hub for all things parallel software development, from 
> weekly thought leadership blogs to news, videos, case studies, 
> tutorials and more. Take a look and join the conversation now. 
> http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> 
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-devel mailing list