Re: [Snort-inline-users] Snort-inline bug?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Does anybody have an idea how much effort it would be to adapt
the stream4 preprocessor to inline mode ? Maybe there is something
I can do about it. I haven't had time to dig into the code though.

Stephan

> Keep in mind that SNIL does not support the stream4 preprocessor which
> means that if you are trying to match a packet where the signature ends
> up spanning two TCP datagrams, then it will fail (no half matching of
> signatures!). Something like this can easily happen with long signatures
> and small TCP datagram sizes and is also influenced by the location of
> the signature in the data being packetised.
> 
> Note that it is not an IP fragmentation issue but a question of TCP data
> spanning more than one packet.
> 
> There is unfortunately currently not a cure in the OSS community for
> this problem and unless we get TCP reassembly support going, will be
> with us for a while.

-- 
Stephan Scholz <ss...@as...> | Development
Astaro AG | www.astaro.com | Phone +49-721-490069-0 | Fax -55

Awards for ASL:
- Nätverk & Kommunikation Magazine, Sweden: "Five Stars" - October 2003
- Linux Enterprise Readers' Choice Award: Best Firewall - October 2003
- LinuxWorld Product Excellence Award: Best Security Solution - August 2003
- "Excellent" Infoworld Magazine - August 2003