vpiserchia at gmail
Aug 6, 2012, 5:53 AM
Post #1 of 1
(122 views)
Permalink
|
|
PFRING DAQ module and Stream5 content match
|
|
Hello list
I'm testing the new released DAQ module for snort for content matching
through regular expression.
The test itself is very simple, a client requests the server a file via
a simple wget and The two machines are connected together
with an L2 bridge running a snort instance in passive mode with the
PFRING daq module.
To be sure that the request is segmented in multiple packets (namely 2),
I made the "GET string" very very long, and the content,
to be matched, splitted across those packets.
The pcre signature itself is very simple:
alert tcp any any -> any any (msg:"pcre rule"; pcre:"/test_0_0/";
rev:0; sid:3;)
I tried also other signature as the "Multiple Pattern Match" and the
result was the same: no alert are fired by snort.
Today I tried also the standard PCAP daq module and it works well.
I think the problem relies in how the stream reassembly code interacts
with the daq module, but I haven;t found nothing yet
Has anyone already experienced this behaviour?
regards
vito piserchia
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
|
