[Snort-users] byte_jump + Stream5, should it work?

rmkml rmkml at ...1855...
Sat Dec 24 10:39:14 EST 2011


Hi Shaiming,
Can you share a pcap example please?
Can you test with last snort v2.9.2 please?
Can you try with default snort.conf with minimal change?
Can you post your snort.conf + pcap + snort cmd line + snort verbose output ?
Can you post a rule + pcap describe exactly your pb please?
Happy Detect with Snort / Suricata / Bro.
Merry Christmas everyone.
Rmkml


On Fri, 23 Dec 2011, Shaiming Hsiung wrote:

> Hello,
> 
> I am attempting to use Snort (version: 2.9.1.2 IPv6 GRE (Build 84))
> to filter application-level packages in binary length-encoded
> format.
> 
> The Stream5 and HttpInspect preprocessors are enabled.
> 
> As far as I understand, when Stream5 is enabled, Snort is
> able to detect packages matching "content:" rules, even if
> the target string is fragmented across multiple TCP packages.
> Experience seems to confirm that.
> 
> However, when I use "byte_jump:" rules, Snort seems not
> to be able to jump past the TCP package boundary, even
> though Stream5 is enabled.
> 
> I haven't found any documentation in the Snort User's Manual
> regarding the relationship between the "byte_*" rules and
> Stream5.
> 
> Is that the expected way it should work?
> 
> Is there any way of making "byte_jump:" behave as if the
> contents were a stream?
> 
> Thank you in advance for your help.
> 
> Regards,
> 
> --
> Shaiming Hsiung
> 
>




More information about the Snort-users mailing list