[Snort-users] Limits of Snort TCP reconstruction

tom.barbette at ulg.ac.be tom.barbette at ulg.ac.be
Thu Aug 31 10:55:32 EDT 2017


Hi Albert,

Thanks for your quick answer. However this documentation is very much limited.

Let's say the first limit reached is a limit of 5 segments. My attack starts at segment 5. As the limit is reached, it is not found. Then segment 6 arrives with the end of the attack. What happens?

I specifically consider inline mode. I guess the stream will not be held for the default max window of 65536 << 14 bytes, right?

Thanks,
Tom


----- Mail original -----
> De: "Al Lewis (allewi)" <allewi at cisco.com>
> À: "tom barbette" <tom.barbette at ulg.ac.be>, snort-users at lists.snort.org
> Envoyé: Jeudi 31 Août 2017 16:44:20
> Objet: Re: [Snort-users] Limits of Snort TCP reconstruction

> Take a look at the README.stream5 included in the download.
> 
> 
> 
> Albert Lewis
> ENGINEER.SOFTWARE ENGINEERING
> SOURCEfire, Inc. now part of Cisco
> Email: allewi at cisco.com
> 
> 
> 
> 
> 
> 
> 
> 
> On 8/31/17, 10:37 AM, "Snort-users on behalf of tom.barbette at ulg.ac.be"
> <snort-users-bounces at lists.snort.org on behalf of tom.barbette at ulg.ac.be>
> wrote:
> 
>>Hi list,
>>
>>I read a lot of documentation, but it is still not clear to me what are the
>>limitations of the Snort TCP reconstruction. It seems that when creating a rule
>>which match on TCP payload, it will match the payload across multiple packets.
>>But what's the limit in term of number of packets here?
>>
>>E.g. If I want to match on "<script>.*</script>" in HTTP payload, would Snort
>>fail to match if ".*" is actually big enough?
>>
>>If someone can link me to some more documentation, or help me understand the
>>limits, that would be great.
>>
>>Thanks,
>>
>>Tom
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.snort.org
>>Go to this URL to change user options or unsubscribe:
>>https://lists.snort.org/mailman/listinfo/snort-users
>>
> >Please visit http://blog.snort.org to stay current on all the latest Snort news!



More information about the Snort-users mailing list