Re: Problems with spp_stream4.

[Joe McAlerney <joey () SiliconDefense com>]

Hi Emilio,

It doesn't look like the stream4 parser needs (or wants) the quotes. 
Try this:

preprocessor stream4_reassemble: both, ports all

-Joe M.

-- 
Joe McAlerney
Silicon Defense: IDS Solutions

Emilio Mira wrote:
> I don't know what I'm doing badly.
>
> With "HOME_NET any" and "EXTERNAL_NET any", I'm trying Snort advertises
> 'hello' string in a telnet session with rule (in telnet.rules):
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"TELNET hello"; flags:A+;
> content:"hello"; sid:3712; )
>
> > From my network, I connect with an outside server and type 'hello', but
> Snort doesn't see it. But if I do 'cut-and-paste' over the virtual
> terminal with 'hello' then do it. It seems like stream4 doesn't do its
> job.
>
> In snort.conf (snort 1.8.7) I have:
>
> preprocessor stream4: detect_scans
>
>
> Anyone could say me what I'm doing badly?
>
> Thank you.
>
> --
> Emilio Mira
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users