[Snort-users] how to set paf_max unlimited to get all of the http response between <html> and </html> in single stream

Qasim Javed qasim.javed at ...17373...
Thu Dec 3 05:30:13 EST 2015


Hi.
   I have enabled TCP reassembly in snort.conf and have *set paf_max to
63780 *but my pcap to be analyzed contains response of bytes greater than
100000 and  we can find two contents which must come in 63780 but my
*content_no.1* is in first *63780* and *content_no.2* is in 2nd chunk of
bytes got after flushing.So my rule is not generating alert, how can i fix
this issue and make it unlimited.
I have attached *snort.conf*.



Best Regards,

Qasim Javed| Malware Researcher | Ebryx (Pvt.) Ltd. |
Office #1, 4th Floor Arfa STP, 346-B Ferozpur Road Lahore, Pakistan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151203/047c45fa/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.conf
Type: application/octet-stream
Size: 2171 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151203/047c45fa/attachment.obj>


More information about the Snort-users mailing list