[Snort-users] Limits of Snort TCP reconstruction
Al Lewis (allewi)
allewi at cisco.com
Thu Aug 31 10:44:20 EDT 2017
Take a look at the README.stream5 included in the download.
SOURCEfire, Inc. now part of Cisco
Email: allewi at cisco.com
On 8/31/17, 10:37 AM, "Snort-users on behalf of tom.barbette at ulg.ac.be" <snort-users-bounces at lists.snort.org on behalf of tom.barbette at ulg.ac.be> wrote:
>I read a lot of documentation, but it is still not clear to me what are the limitations of the Snort TCP reconstruction. It seems that when creating a rule which match on TCP payload, it will match the payload across multiple packets. But what's the limit in term of number of packets here?
>E.g. If I want to match on "<script>.*</script>" in HTTP payload, would Snort fail to match if ".*" is actually big enough?
>If someone can link me to some more documentation, or help me understand the limits, that would be great.
>Snort-users mailing list
>Snort-users at lists.snort.org
>Go to this URL to change user options or unsubscribe:
>Please visit http://blog.snort.org to stay current on all the latest Snort news!
More information about the Snort-users