[Snort-users] Depth limit of binary flow using just pcre (no content option)

Frank Calone fc10011001 at ...11827...
Fri Jul 19 14:57:26 EDT 2013


Yes, the sessions I have seen have had no http markup at the beginning.
Certainly not gzipped data either, just raw binary.

Frank

On Fri, Jul 19, 2013 at 2:42 PM, waldo kitty <wkitty42 at ...14940...>wrote:

> On 7/19/2013 14:20, Frank Calone wrote:
> > I'd like to test just the first 500 bytes of a session for a pcre
> pattern.  I've
> > seen port 80 session data with just raw tranfers, no http related stuff.
>  It
>
> are you sure that those are not just additional packets carry data for an
> initial http session? they may be carrying binary data like graphics or
> they ma
> be part of a gzipped session...
>
> > appears the "depth" option must have a content check.  I really don't
> have a
> > good content criteria to test for.  My interest is strictly in just a
> pattern.
> > Any ideas on how to limit the testing to just 500 bytes of any given
> session?  I
> > have some content only rules that are not alerting when I added the pcre
> tests.
> > I suspect trying to analyze all sessions and all bytes for a dozen
> different
> > patterns is a bit much to ask of Snort.
>
>
>
> --
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130719/0b2b95e0/attachment.html>


More information about the Snort-users mailing list