[Snort-users] byte_jump + Stream5, should it work?
shaiming.hsiung at ...11827...
Fri Dec 23 15:43:40 EST 2011
I am attempting to use Snort (version: 184.108.40.206 IPv6 GRE (Build 84))
to filter application-level packages in binary length-encoded
The Stream5 and HttpInspect preprocessors are enabled.
As far as I understand, when Stream5 is enabled, Snort is
able to detect packages matching "content:" rules, even if
the target string is fragmented across multiple TCP packages.
Experience seems to confirm that.
However, when I use "byte_jump:" rules, Snort seems not
to be able to jump past the TCP package boundary, even
though Stream5 is enabled.
I haven't found any documentation in the Snort User's Manual
regarding the relationship between the "byte_*" rules and
Is that the expected way it should work?
Is there any way of making "byte_jump:" behave as if the
contents were a stream?
Thank you in advance for your help.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users