[Snort-users] Effect of stream4 on rules

Oliver Dain odain at ...4739...
Wed Jan 30 15:26:06 EST 2002


If I use the stream4 stream reassembly pre-processor what do the rules
"see". I would assume they would see the reassembled stream so that if
my rule contained 'content: "hacker"' and "hack" was sent in one
packet and "er" was sent in the next packet my rule would still match.
However, I'm not clear on how rules that include things like ttl, tcp
flags, etc. match since what is passed to the rules is now the
concatenation of multiple packets. Does anybody know how this works?

+-----------------------------------------------------------------------+
| Oliver Dain                          | voice:  (781) 981-4788         |
| Information Systems Technology Group | e-mail: odain at ...4740...   |
| MIT Lincoln Laboratory               | web: http://www.ll.mit.edu/IST |
| 244 Wood Street                      |                                |
| Lexington, MA 02420-9185             |                                |
+-----------------------------------------------------------------------+





More information about the Snort-users mailing list