[Snort-users] Have difference sig detection in Snort 2.9.1.2 and above 2.9.3.

Kiryukhin Andrey andrei_1980 at ...1975...
Thu Dec 27 14:50:59 EST 2012


 waldo kitty  wrote:
> how big is each packet in the pcap that should be triggering the rule?
>i'm thinking that it may be due to packet reassembly but that's a pure eWAG...

 Thanks for replay! It point me to right way. 
My problem was in that really in some session shellcode was split in two packets (i made this mix of session some years ago, and forgot how i do it), and target port does not present in stream preprocessor.

Maybe it was bug in snort 2.9.1, because it reassemble session, without declaration port in stream preprocessor.

Best Regards, Kiryukhin Andrey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121227/101999bb/attachment.html>


More information about the Snort-users mailing list