[Snort-users] How snort handels contents divided in multiple packets?

Hamza Ali hamxali at gmail.com
Mon May 28 08:35:37 EDT 2018


Hello,

I am learning snort so sorry if its a very basic question. Consider the
rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC";
flow:to_server,established; content:"HELLO",depth 6; content:"MATE",depth
4,offset 7; sid:42129; rev:1; )

Basically, if "HELLO" and "MATE" are seen in the specified locations in the
same packet on the given four-tuple, the alert will trigger.

My question is what will happen if "HELLO" is sent in the first packet and
"MATE" is sent in the second packet. Since both contents have to be present
in the same packet according to the rule, the rule will not fire but the
message will be transmitted. How will snort deal with this scenario? Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180528/7c74bfdf/attachment.html>


More information about the Snort-users mailing list