[Snort-inline-users] replace payload option

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Greetings.

I have a question/concern regarding the "replace:" rule option -

Example rule from the manual --

alert tcp any any <> any 80 (msg: "tcp replace"; content:"GET"; replace:"BET";)

Although not specified in the manual it seems the functionality is
meant to be used on a packet by packet basis and not on a stream (TCP
stream).
For example:
For the above rule consider that the "GET" is spread across 3 segments
each one byte long and all of them arrive in order.
The first 2 bytes ('G' and 'E') will be forwarded to the destination
before the rule is triggered; and at that point replacing "GET"
with "BET" is not possible without the IPS retransmitting the previous
2 bytes and hope that the destination OS favors newer data.

Thoughts?