Mailing List Archive

PFRING DAQ module and Stream5 content match
Hello list

I'm testing the new released DAQ module for snort for content matching
through regular expression.

The test itself is very simple, a client requests the server a file via
a simple wget and The two machines are connected together
with an L2 bridge running a snort instance in passive mode with the
PFRING daq module.
To be sure that the request is segmented in multiple packets (namely 2),
I made the "GET string" very very long, and the content,
to be matched, splitted across those packets.

The pcre signature itself is very simple:

alert tcp any any -> any any (msg:"pcre rule"; pcre:"/test_0_0/";
rev:0; sid:3;)

I tried also other signature as the "Multiple Pattern Match" and the
result was the same: no alert are fired by snort.
Today I tried also the standard PCAP daq module and it works well.

I think the problem relies in how the stream reassembly code interacts
with the daq module, but I haven;t found nothing yet

Has anyone already experienced this behaviour?

vito piserchia

Ntop-misc mailing list