Snort mailing list archives
Re: Reassembled packets from Frag3 and Stream5
From: Wu Wei Dong <wu_weidong () yahoo com>
Date: Tue, 14 Oct 2008 17:53:19 -0700 (PDT)
So it's possible for the pseudo-packets reassembled by Frag3 and Stream5 to be identical, in terms of both the headers and payload, if the fragments are the same? Do the pseudo-packets go through the preprocessors again, since the decoder comes before the preprocessors? Also, what do you mean by "performance increase that is gained by handling flows with an understanding of the stream state."? Thank you. Regards, Rayne --- On Tue, 10/14/08, Matt Olney <molney () sourcefire com> wrote:
From: Matt Olney <molney () sourcefire com> Subject: Re: [Snort-users] Reassembled packets from Frag3 and Stream5 To: hjazz6 () ymail com Cc: snort-users () lists sourceforge net Date: Tuesday, October 14, 2008, 9:00 PM The reassembled packets are identical to the combined payloads of the packets that are reassembled. Snort reinjects the reassembled packets (pseudopackets) at the decoder level and detection is run against the reassembled packets. While this does indeed add load to the system, this cost is entirely acceptable given the decrease in trivial evasion possibilies and is more than offset by the by performance increase that is gained by handling flows with an understanding of the stream state. Matt On Tue, Oct 14, 2008 at 4:42 AM, Rayne <hjazz6 () ymail com> wrote:Hi all, I know that Frag3 reassembles IP fragments, andStream5 reassembles TCPfragments. So are the reassembled packets identical,i.e. in terms ofpayload? And wouldn't this increase the volume oftraffic passed into thedetection engine and cause it to run slower, sincethere are now morepackets to check against the rules? Thank you. Regards, Rayne-------------------------------------------------------------------------This SF.Net email is sponsored by the Moblin Your MoveDeveloper'schallenge Build the coolest Linux based applications with MoblinSDK & win greatprizes Grand prize is a trip for two to an Open Source eventanywhere in the worldhttp://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Reassembled packets from Frag3 and Stream5 Rayne (Oct 14)
- Re: Reassembled packets from Frag3 and Stream5 Matt Olney (Oct 14)
- <Possible follow-ups>
- Re: Reassembled packets from Frag3 and Stream5 Wu Wei Dong (Oct 14)
- Re: Reassembled packets from Frag3 and Stream5 Matt Olney (Oct 15)
- Re: Reassembled packets from Frag3 and Stream5 Rayne (Oct 15)
- Re: Reassembled packets from Frag3 and Stream5 Matt Olney (Oct 15)