Snort mailing list archives
Call for Stream5 Testers
From: Steven Sturges <steve.sturges () sourcefire com>
Date: Mon, 22 Jan 2007 17:44:35 -0500
Hi Snorters! With the Snort 2.7.0 Beta1 now available (see www.snort.org for details!), we wanted to put out a request for beta testers who will specifically look at Stream5. Since we are all looking to make Snort better, please let us know what you are testing. We want to be sure we have as much coverage as possible. Your platform: OS (Windows, FC6, Ubuntu 6.06, etc) prebuilt or built from src tarball If built from src, your 'configure' line Your configuration (snort.conf, rules) To be an active participant please email us at snort-beta () sourcefire com with the above information. If you have any issues, bugs, concerns, etc, please send the above information, as well as a traffic capture (pcap/tcpdump format) if possible so that we can try to reproduce it quickly. And don't forget that credible bugs lead to Snort goodies! Here is some additional information specifically relating to testing Stream5. * Stream5 has a series of target-based policies for reassembly (and handling of various TCP flags, timestamps, etc). You should disable BOTH Stream4 AND flow preprocessors -- Stream5 is designed to replace both of them. Look at README.stream5 for specific configuration option details and syntax. Policies and corresponding OS's are: Policy Name Operating Systems ----------- ----------------- bsd FreeBSD, OpenBSD, etc solaris Solaris 9, Solaris 10 macos Mac OSX, MacOS 10.4 hpux HPUX-11 hpux10 HPUX-10.2 linux Linux Kernel 2.4 & newer old-linux Linux Kernel 2.2 & earlier windows Windows 2000, 95, 98, ME, NT, XP win2003 Windows 2003 Server vista Windows Vista irix SGI Irix Specify the policy name with the policy option and use the bind_to option to tie that policy to the TCP recipient of that packet. Examples: 1)The following example has linux kernels residing on the 192.168.1 network, a solaris host on 172.168.1.1, and all others (the 'default' policy) using windows. UDP is also tracked for the purposes of flowbits. Reassembly occurs on the default set of client ports (see README.stream5 for details). preprocessor stream5_global: track_tcp yes, max_tcp 16184, \ track_udp yes preprocessor stream5_tcp: policy linux, bind_to 192.168.1.0/24 preprocessor stream5_tcp: policy solaris, bind_to 172.168.1.1 preprocessor stream5_tcp: policy windows preprocessor stream5_udp: 2)This example has a specific win2003 server -- perhaps it would be listed as an IIS server for the http_inspect config, too. :) Reassembly on ports 137 (DCE) and 80 & 8080 (HTTP). And a solaris SMTP server, default ports for the client side. Plus remaining network of linux hosts. Uses the default max_tcp sessions of 8192. preprocessor stream5_global: track_tcp yes, track_udp yes preprocessor stream5_tcp: policy win2003, bind_to 192.168.1.1, \ ports client 137, ports both 80 8080 preprocessor stream5_tcp: policy solaris, bind_to 192.168.1.2, \ ports server 25, ports client preprocessor stream5_tcp: policy linux, bind_to 192.168.1.0/24, use_static_footprint_sizes, require_3whs preprocessor stream5_udp: * Test any configuration option listed in the Stream5 README file. * Use all protocol analyzers including Frag3, HTTP Inspect, SMTP, FTP/Telnet, DCE/RPC, etc. as you normally would * Test Inline and IDS deployments Cheers. -steve ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Call for Stream5 Testers Steven Sturges (Feb 05)
- Re: [Snort-devel] Call for Stream5 Testers Justin Heath (Jan 22)