[Snort-users] Limits of Snort TCP reconstruction

Al Lewis (allewi) allewi at cisco.com
Thu Aug 31 10:44:20 EDT 2017

Take a look at the README.stream5 included in the download.

Albert Lewis
SOURCEfire, Inc. now part of Cisco
Email: allewi at cisco.com 

On 8/31/17, 10:37 AM, "Snort-users on behalf of tom.barbette at ulg.ac.be" <snort-users-bounces at lists.snort.org on behalf of tom.barbette at ulg.ac.be> wrote:

>Hi list,
>I read a lot of documentation, but it is still not clear to me what are the limitations of the Snort TCP reconstruction. It seems that when creating a rule which match on TCP payload, it will match the payload across multiple packets. But what's the limit in term of number of packets here?
>E.g. If I want to match on "<script>.*</script>" in HTTP payload, would Snort fail to match if ".*" is actually big enough?
>If someone can link me to some more documentation, or help me understand the limits, that would be great.
>Snort-users mailing list
>Snort-users at lists.snort.org
>Go to this URL to change user options or unsubscribe:
>Please visit http://blog.snort.org to stay current on all the latest Snort news!

More information about the Snort-users mailing list