mkettler at ...189...
Tue Apr 6 12:56:13 EDT 2004
At 02:32 PM 4/6/2004, Chintan Gosalia wrote:
>It matches the last pattern within the next 1280 bytes. I think most of
>the SMTP packets are 512 bytes chunks. So does snort support multiple
>packet content matching? I think all the contents should be within a
>single packet and they can not span across multiple packets.
that's what the stream4 preprocessor does.
However, if there's an acknowledgment between them then stream4 won't help.
However, AFAIK, the smtp DATA phase has no acknowledgements, other than
your general tcp acks.
Also, due to the nagle algorithm the SMTP DATA phase is not likely to be
transferred over the wire as 512 byte IP packets containing TCP segments.
They are likely to be full PMTU sized segments.
The SMTP restriction merely is that there be a maximum of 512 bytes per
line before an EOL character appears. However, SMTP does not, and in fact
can not, specify what size the TCP stack frames the data as.
More information about the Snort-sigs