Bug #5110
closed
Bug #5076: keyword content does not work over reassembled TCP
keyword content does not work over reassembled TCP (6.0.x backport)
Added by Jeff Lucovsky almost 3 years ago.
Updated over 1 year ago.
Description
Using rule
alert ip any any -> any any (content:"HTTP/2.loc"; sid:11;)
on attached pcap
with stream.reassembly.toserver-chunk-size=25
does not trigger an alert
It does trigger the alert without the setting.
I fear we might have an evasion if I split the packets over the default value of 2560...
- Copied from Bug #5076: keyword content does not work over reassembled TCP added
- Target version changed from 6.0.5 to 6.0.6
- Subject changed from keyword content does not work over reassembled TCP to keyword content does not work over reassembled TCP (6.0.x backport)
- Target version changed from 6.0.6 to 6.0.7
- Target version changed from 6.0.7 to 6.0.8
- Target version changed from 6.0.8 to 6.0.9
- Target version changed from 6.0.9 to 6.0.10
- Target version changed from 6.0.10 to 6.0.11
- Assignee changed from Shivani Bhardwaj to Victor Julien
- Target version changed from 6.0.11 to 6.0.12
- Target version changed from 6.0.12 to 6.0.13
- Target version changed from 6.0.13 to 6.0.14
- Target version changed from 6.0.14 to 6.0.15
- Status changed from Assigned to Rejected
I do not think we will fix that in 7 soon...
So closing the backport to 6 until there is a fix in master
Also available in: Atom
PDF