[Snort-devel] Snort decoder
Al Lewis (allewi)
allewi at ...3461...
Mon Jan 26 08:59:24 EST 2015
Search the manual for "PAF" and check your conf settings to see if the data is outside the flush point.
An example of your snort.conf / pcap would help as well.
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...3461...
From: Ron Sal [mailto:nsamurain at ...2499...]
Sent: Monday, January 26, 2015 8:50 AM
To: Al Lewis (allewi)
Cc: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] Snort decoder
I have allready looked at that option and i have configured it for 0 - unlimited... Snort.log says that i decoded same amount of bytes as the attached file is...
So i do not think that is the problem but sounds like some kind of buffer issue... Maybe a buffer that keeps track of some pointer... So if distance is to far it do not work... Please help me out here....
Sent from my iPhone
> On 26/01/2015, at 14.31, Al Lewis (allewi) <allewi at ...3461...> wrote:
> Base64 depth can be set under each preprocessor. In general "-1" disables it ,0 sets it to unlimited. Anything between 1-65535 sets it to a specific depth. See the manual for an example here:
> From the manual on the smtp preprocessor section:
> This config option is used to turn off/on or set the base64 decoding depth used to decode the base64 encoded MIME attachments. The value ranges from -1 to 65535. A value of -1 turns off the base64 decoding of MIME attachments. The value of 0 sets the decoding of base64 encoded MIME attachments to unlimited. A value other than 0 or -1 restricts the decoding of base64 MIME attachments, and applies per attachment. A SMTP preprocessor alert with sid 10 is generated (if enabled) when the decoding fails.
> Hope this helps.
> Albert Lewis
> QA Software Engineer
> SOURCEfire, Inc. now part of Cisco
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
> Phone: (office) 443.430.7112
> Email: allewi at ...3461...
> -----Original Message-----
> From: Ron Sal [mailto:nsamurain at ...2499...]
> Sent: Monday, January 26, 2015 8:21 AM
> To: snort-devel at lists.sourceforge.net
> Subject: [Snort-devel] Snort decoder
>> my problem is that if i want to match on multiple content within the
>> base64 decoded data ( done by preprocessor, file_data) its like there
>> is a limit for maximum distance between the contents.
>> 2 content with 10024 bytes between and that is not working but 2
>> content with 2016 between is working Is there a limit? can i read
>> about it? is it configurable?
> -------- Dive into the World of Parallel Programming. The Go Parallel
> Website, sponsored by Intel and developed in partnership with Slashdot
> Media, is your hub for all things parallel software development, from
> weekly thought leadership blogs to news, videos, case studies,
> tutorials and more. Take a look and join the conversation now.
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> Please visit http://blog.snort.org for the latest news about Snort!
More information about the Snort-devel