[Snort-sigs] Important

Matt Kettler mkettler at ...189...
Tue Apr 6 12:56:13 EDT 2004


At 02:32 PM 4/6/2004, Chintan Gosalia wrote:
>It matches the last pattern within the next 1280  bytes. I think most of 
>the SMTP packets are 512 bytes chunks. So does snort support multiple 
>packet content matching? I think all the contents should be within a 
>single packet and they can not span across multiple packets.

that's what the stream4 preprocessor does.

However, if there's an acknowledgment between them then stream4 won't help. 
However, AFAIK, the smtp DATA phase has no acknowledgements, other than 
your general tcp acks.

Also, due to the nagle algorithm the SMTP DATA phase is not likely to be 
transferred over the wire as 512 byte IP packets containing TCP segments. 
They are likely to be full PMTU sized segments.

  The SMTP restriction merely is that there be a maximum of 512 bytes per 
line before an EOL character appears. However, SMTP does not, and in fact 
can not, specify what size the TCP stack frames the data as.





More information about the Snort-sigs mailing list