[Snort-sigs] Snort 1.9 "within:" option broken? (fwd)

Carl Gibbons cgibbons at ...1299...
Thu Feb 20 19:44:03 EST 2003


On Fri, 14 Feb 2003, Chris Green wrote:

> Carl Gibbons <cgibbons at ...1299...> writes:
>
> > I read the options
> >   content:!"|0a|"; within:1024;
> > as
> >   "match if 0x0a (newline) does not appear in the
> >    first 1024 bytes of the payload."
> >
> > Nevertheless, this rule just alerted on a packet with the following payload:
> >
> > 32 20 61 75 74 68 65 6E 74 69 63 61 74 65 20 70  2 authenticate p
> > 6C 61 69 6E 0D 0A                                lain..
>
> Was the packet sent through the stream reassembler?  I just commited
> patches to 1.9 CVS that should clear up a lot of those errors people
> are running into.

Yes, snort.conf has "preprocessor stream4_reassemble" in it. Thanks.
- Carl





More information about the Snort-sigs mailing list