[Snort-users] Stream reassembly

Paul Smith paulsnort at ...2813...
Wed Sep 4 02:51:04 EDT 2002

Wouldn't it be a worthwhile option to put in the stream reassembler that it 
should re-create the reassembled packets as individual lines

Alternatively, how about another pre-processor to split packets into lines.

This would solve the problem of false 'buffer overflow' alerts.

I've seen a message recently that in 1.9, DSIZE is going to refer to the 
original packet size - but surely that means that buffer overflows could be 
done by simply sending lots of small packets, and Snort wouldn't detect it. 
Being able to split reassembled packets into individual CR/LF/CRLF/LFCR 
lines on certain specified ports would mean that you'd still detect those 
without the false alarms that we seem to get currently.

