[Snort-users] Problems with spp_stream4.

Joe McAlerney joey at ...47...
Mon Jul 15 10:47:10 EDT 2002


Hi Emilio,

It doesn't look like the stream4 parser needs (or wants) the quotes. 
Try this:

preprocessor stream4_reassemble: both, ports all

-Joe M.

-- 
Joe McAlerney
Silicon Defense: IDS Solutions

Emilio Mira wrote:
> 
> I don't know what I'm doing badly.
> 
> With "HOME_NET any" and "EXTERNAL_NET any", I'm trying Snort advertises
> 'hello' string in a telnet session with rule (in telnet.rules):
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"TELNET hello"; flags:A+;
> content:"hello"; sid:3712; )
> 
> >From my network, I connect with an outside server and type 'hello', but
> Snort doesn't see it. But if I do 'cut-and-paste' over the virtual
> terminal with 'hello' then do it. It seems like stream4 doesn't do its
> job.
> 
> In snort.conf (snort 1.8.7) I have:
> 
> preprocessor stream4: detect_scans
> 
> 
> Anyone could say me what I'm doing badly?
> 
> Thank you.
> 
> --
> Emilio Mira
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list