Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Stream reassembly

From: Paul Smith <paulsnort () pscs co uk>
Date: Wed, 04 Sep 2002 10:44:03 +0100
Wouldn't it be a worthwhile option to put in the stream reassembler that it should re-create the reassembled packets as individual lines 

Alternatively, how about another pre-processor to split packets into lines.

This would solve the problem of false 'buffer overflow' alerts.
I've seen a message recently that in 1.9, DSIZE is going to refer to the original packet size - but surely that means that buffer overflows could be done by simply sending lots of small packets, and Snort wouldn't detect it. Being able to split reassembled packets into individual CR/LF/CRLF/LFCR lines on certain specified ports would mean that you'd still detect those without the false alarms that we seem to get currently. 



-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: