Snort mailing list archives

IPS_OPTION https server name and reassembled tcp buffer

From: Batuhan Arda Kibrit via Snort-devel <snort-devel () lists snort org>
Date: Fri, 16 Sep 2022 15:01:34 +0000

Hello everyone,

I have two question to ask

  1.  I want to reach https server name in my ips option. There is a ips option like suricata tls.sni in snort? If not 
how can i find server name in my ips option plugin.
  2.  I write ips option to scan downloaded files in clamav socket but i can read max 64kb file. I write these lines to 
read file data:
  3.  in my snort.lua configuration file
  4.  snort["-s"] = 65535
  5.  in my ips option plugin
  6.  DataPointer dp = DetectionEngine::get_file_data(p->context); dp.data;
  7.
  8.  Is it possible to read more than 64kb in reassembled tcp buffer and how to reach reassembled tcp buffer or is 
there any other way to read file data. It will be good for me to scan at least 8mb file.

Thanks in advance

Batuhan

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

IPS_OPTION https server name and reassembled tcp buffer Batuhan Arda Kibrit via Snort-devel (Sep 19)