[Snort-users] Depth limit of binary flow using just pcre (no content option)

Joel Esler jesler at ...1935...
Fri Jul 19 15:11:19 EDT 2013


On Jul 19, 2013, at 2:20 PM, Frank Calone <fc10011001 at ...11827...> wrote:

> I'd like to test just the first 500 bytes of a session for a pcre pattern.  I've seen port 80 session data with just raw tranfers, no http related stuff.  It appears the "depth" option must have a content check. 

Correct.

> I really don't have a good content criteria to test for.  My interest is strictly in just a pattern.  Any ideas on how to limit the testing to just 500 bytes of any given session? 

My default Snort will examine the 1514 byte packet.  In order to truncate the packet you will have to set the snaplen to a smaller number.

> I have some content only rules that are not alerting when I added the pcre tests.  I suspect trying to analyze all sessions and all bytes for a dozen different patterns is a bit much to ask of Snort.

If you posted your rules and the pcap we could help better.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130719/73c18c0d/attachment.html>


More information about the Snort-users mailing list