Snort mailing list archives
Re: stream4's new config
From: Jason Brvenik <jasonb () sourcefire com>
Date: Fri, 18 Nov 2005 09:47:44 -0500
zhaohui yin wrote:
while i read the snort source, I found some new config the stream4 preprocessor had support ,but those config can't find any description in the manual. preprocessor stream4:midstream_drop_alerts
Should sessions that appear to not be fully established but have alertable data be raised to the user or not. In general the answer would be no ( Think stateless user DoS ) but if you want to see events that would be generated then set this config option.
preprocessor stream4_reassemble: flush_behavior < default| random | large_window >,flush_seed <seed>,flush_base <base>,flush_range <range>
These config options control the boundaries that the stream preprocessor flushes reassembled data on. The options are documented in the default snort.conf with relevant bits copied here. # flush_behavior [mode] - # default - use old static flushpoints (default) # large_window - use new larger static flushpoints # random - use random flushpoints defined by flush_base, # flush_seed and flush_range # flush_base [number] - lowest allowed random flushpoint (512 by default) # flush_range [number] - number is the space within which random flushpoints are generated (default 1213) # flush_seed [number] - seed for the random number generator, defaults to Snort PID + time
who can tell the above config's means. -- yinzhaohui ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_idv28&alloc_id845&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users
------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- stream4's new config zhaohui yin (Nov 17)
- Re: stream4's new config Will Metcalf (Nov 17)
- Re: stream4's new config zhaohui yin (Nov 17)
- Re: stream4's new config Jason Brvenik (Nov 18)
- Re: stream4's new config Will Metcalf (Nov 17)