PFRING DAQ module and Stream5 content match
Hello list

I'm testing the new released DAQ module for snort for content matching
through regular expression.

The test itself is very simple, a client requests the server a file via
a simple wget and The two machines are connected together
with an L2 bridge running a snort instance in passive mode with the
PFRING daq module.
To be sure that the request is segmented in multiple packets (namely 2),
I made the "GET string" very very long, and the content,
to be matched, splitted across those packets.

The pcre signature itself is very simple:

alert tcp any any -> any any (msg:"pcre rule"; pcre:"/test_0_0/";
rev:0; sid:3;)

I tried also other signature as the "Multiple Pattern Match" and the
result was the same: no alert are fired by snort.
Today I tried also the standard PCAP daq module and it works well.

I think the problem relies in how the stream reassembly code interacts
with the daq module, but I haven;t found nothing yet

Has anyone already experienced this behaviour?

vito piserchia

