[Snort-users] Limits of Snort TCP reconstruction
Al Lewis (allewi)
allewi at cisco.com
Thu Aug 31 10:59:36 EDT 2017
If the limit is reached and its not found.. I wouldn’t expect to see an alert.
The size of the data held can be set and should be explained in the readme.
SOURCEfire, Inc. now part of Cisco
Email: allewi at cisco.com
On 8/31/17, 10:55 AM, "tom.barbette at ulg.ac.be" <tom.barbette at ulg.ac.be> wrote:
>Thanks for your quick answer. However this documentation is very much limited.
>Let's say the first limit reached is a limit of 5 segments. My attack starts at segment 5. As the limit is reached, it is not found. Then segment 6 arrives with the end of the attack. What happens?
>I specifically consider inline mode. I guess the stream will not be held for the default max window of 65536 << 14 bytes, right?
>----- Mail original -----
>> De: "Al Lewis (allewi)" <allewi at cisco.com>
>> À: "tom barbette" <tom.barbette at ulg.ac.be>, snort-users at lists.snort.org
>> Envoyé: Jeudi 31 Août 2017 16:44:20
>> Objet: Re: [Snort-users] Limits of Snort TCP reconstruction
>> Take a look at the README.stream5 included in the download.
>> Albert Lewis
>> ENGINEER.SOFTWARE ENGINEERING
>> SOURCEfire, Inc. now part of Cisco
>> Email: allewi at cisco.com
>> On 8/31/17, 10:37 AM, "Snort-users on behalf of tom.barbette at ulg.ac.be"
>> <snort-users-bounces at lists.snort.org on behalf of tom.barbette at ulg.ac.be>
>>>I read a lot of documentation, but it is still not clear to me what are the
>>>limitations of the Snort TCP reconstruction. It seems that when creating a rule
>>>which match on TCP payload, it will match the payload across multiple packets.
>>>But what's the limit in term of number of packets here?
>>>E.g. If I want to match on "<script>.*</script>" in HTTP payload, would Snort
>>>fail to match if ".*" is actually big enough?
>>>If someone can link me to some more documentation, or help me understand the
>>>limits, that would be great.
>>>Snort-users mailing list
>>>Snort-users at lists.snort.org
>>>Go to this URL to change user options or unsubscribe:
>> >Please visit http://blog.snort.org to stay current on all the latest Snort news!
More information about the Snort-users