Hi Snort experts,
I have a question when using 'pkt_data' keyword in snort rules.
But after I added this setting to configuration, it seems not working.
Pls help to check why the configuration not chenged in my working env, Thanks
The snort version is v3.7.4.0. Here is what I tried:
(1) add change to snort.lua file:
add "include('max_datect.lua')" or "search_engine.detect_raw_tcp = true" or "search_engine = { detect_raw_tcp = true }"
(2) add parameter in command
add "--lua 'search_engine.detect_raw_tcp = true'" or "--tweaks max_detect"
After doing above, I checked configuration by using "--help-config search_engine |grep tcp", and get the output:
bool search_engine.detect_raw_tcp = false: detect on TCP payload before reassembly
I also checked with some simple pcap with following snort rules, and seems no matter how the configuration changed, the 3rd rule(with 'pkt_data' in rule) never matched:
alert tcp any any -> any $HTTP_PORTS ( msg:"check pkt_data-1"; content:"/index.php"; content:"Accept-Encoding: gzip"; sid:10001001; rev:1; )
alert tcp any any -> any $HTTP_PORTS ( msg:"check pkt_data-2"; http_uri; content:"/index.php"; http_header; content:"Accept-Encoding: gzip"; sid:10001002; rev:1; )
alert tcp any any -> any $HTTP_PORTS ( msg:"check pkt_data-3"; http_header; content:"Accept-Encoding: gzip"; pkt_data; content:"/index.php"; sid:10001003; rev:1; )
The pcap is attached to the mail.