[Snort-users] Stream reassembly
paulsnort at ...2813...
Wed Sep 4 02:51:04 EDT 2002
Wouldn't it be a worthwhile option to put in the stream reassembler that it
should re-create the reassembled packets as individual lines
Alternatively, how about another pre-processor to split packets into lines.
This would solve the problem of false 'buffer overflow' alerts.
I've seen a message recently that in 1.9, DSIZE is going to refer to the
original packet size - but surely that means that buffer overflows could be
done by simply sending lots of small packets, and Snort wouldn't detect it.
Being able to split reassembled packets into individual CR/LF/CRLF/LFCR
lines on certain specified ports would mean that you'd still detect those
without the false alarms that we seem to get currently.
More information about the Snort-users