[Snort-sigs] [Snort-users] byte_jump + Stream5, should it work?

Joel Esler jesler at ...435...
Sat Dec 24 11:26:57 EST 2011


You can try only_stream in your flow statement, however, doing what you are trying to do depends on several things. It would help if you were posting a rule along with a pcap.  

--
Joel Esler

On Dec 23, 2011, at 3:43 PM, Shaiming Hsiung <shaiming.hsiung at ...2420...> wrote:

> Hello,
> 
> I am attempting to use Snort (version: 2.9.1.2 IPv6 GRE (Build 84))
> to filter application-level packages in binary length-encoded
> format.
> 
> The Stream5 and HttpInspect preprocessors are enabled.
> 
> As far as I understand, when Stream5 is enabled, Snort is
> able to detect packages matching "content:" rules, even if
> the target string is fragmented across multiple TCP packages.
> Experience seems to confirm that.
> 
> However, when I use "byte_jump:" rules, Snort seems not
> to be able to jump past the TCP package boundary, even
> though Stream5 is enabled.
> 
> I haven't found any documentation in the Snort User's Manual
> regarding the relationship between the "byte_*" rules and
> Stream5.
> 
> Is that the expected way it should work?
> 
> Is there any way of making "byte_jump:" behave as if the
> contents were a stream?
> 
> Thank you in advance for your help.
> 
> Regards,
> 
> --
> Shaiming Hsiung
> ------------------------------------------------------------------------------
> Write once. Port to many.
> Get the SDK and tools to simplify cross-platform app development. Create 
> new or port existing apps to sell to consumers worldwide. Explore the 
> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
> http://p.sf.net/sfu/intel-appdev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-sigs mailing list