Re: Snort decoder

["Al Lewis (allewi)" <allewi () cisco com>]

Base64 depth can be set under each preprocessor. In general "-1" disables it ,0 sets it to unlimited. Anything between 
1-65535 sets it to a specific depth. See the manual for an example here:

http://manual.snort.org/node17.html


> From the manual on the smtp preprocessor section:

b64_decode_depth 
This config option is used to turn off/on or set the base64 decoding depth used to decode the base64 encoded MIME 
attachments. The value ranges from -1 to 65535. A value of -1 turns off the base64 decoding of MIME attachments. The 
value of 0 sets the decoding of base64 encoded MIME attachments to unlimited. A value other than 0 or -1 restricts the 
decoding of base64 MIME attachments, and applies per attachment. A SMTP preprocessor alert with sid 10 is generated (if 
enabled) when the decoding fails.


Hope this helps.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi () cisco com 

-----Original Message-----
From: Ron Sal [mailto:nsamurain () gmail com] 
Sent: Monday, January 26, 2015 8:21 AM
To: snort-devel () lists sourceforge net
Subject: [Snort-devel] Snort decoder


> my problem is that if i want to match on multiple content within the
> base64 decoded data ( done by preprocessor, file_data) its like there 
> is a limit for maximum distance between the contents.
>
> 2 content with 10024 bytes between and that is not working but 2 
> content with 2016 between is working Is there a limit? can i read 
> about it? is it configurable?

/Ronnie

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership 
with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to 
news, videos, case studies, tutorials and more. Take a look and join the conversation now. 
http://goparallel.sourceforge.net/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!