[Snort-users] byte_jump + Stream5, should it work?

Shaiming Hsiung shaiming.hsiung at ...11827...
Fri Dec 23 15:43:40 EST 2011


Hello,

I am attempting to use Snort (version: 2.9.1.2 IPv6 GRE (Build 84))
to filter application-level packages in binary length-encoded
format.

The Stream5 and HttpInspect preprocessors are enabled.

As far as I understand, when Stream5 is enabled, Snort is
able to detect packages matching "content:" rules, even if
the target string is fragmented across multiple TCP packages.
Experience seems to confirm that.

However, when I use "byte_jump:" rules, Snort seems not
to be able to jump past the TCP package boundary, even
though Stream5 is enabled.

I haven't found any documentation in the Snort User's Manual
regarding the relationship between the "byte_*" rules and
Stream5.

Is that the expected way it should work?

Is there any way of making "byte_jump:" behave as if the
contents were a stream?

Thank you in advance for your help.

Regards,

--
Shaiming Hsiung
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111223/9a446143/attachment.html>


More information about the Snort-users mailing list