[Snort-users] Limits of Snort TCP reconstruction

tom.barbette at ulg.ac.be tom.barbette at ulg.ac.be
Thu Aug 31 10:37:32 EDT 2017


Hi list,

I read a lot of documentation, but it is still not clear to me what are the limitations of the Snort TCP reconstruction. It seems that when creating a rule which match on TCP payload, it will match the payload across multiple packets. But what's the limit in term of number of packets here?

E.g. If I want to match on "<script>.*</script>" in HTTP payload, would Snort fail to match if ".*" is actually big enough?

If someone can link me to some more documentation, or help me understand the limits, that would be great.

Thanks,

Tom



More information about the Snort-users mailing list