Snort mailing list archives
Re: stream5 and use_static_footprint_sizes
From: Matt Olney <molney () sourcefire com>
Date: Tue, 8 Dec 2009 11:07:15 -0500
Guise, I'll check with Brian, who manages the open snort config file and see whats up. Matt On Tue, Dec 8, 2009 at 10:53 AM, Guise McAllaster < guise.mcallaster () gmail com> wrote:
Todd, Thanks for this response, I really appreciate it. From what you say and what I have reads, it seems that using use_static_footprint_sizes is not recommended. However, I am puzzled because I just did a generic snort install (using Ubuntu and apt-get) and I notice that use_static_footprint_sizes IS enabled. But why? --Guise On Mon, Dec 7, 2009 at 10:36 PM, Todd Wease <twease () sourcefire com> wrote:Guise McAllaster wrote:Hi, I inherited some snorts and noticed that they all had the 'use_static_footprint_sizes' option enabled for the streams5 preprocessor. Can someone please give me more info about this. I am reading in the manual where it recommends not to have this turned on in production but it looks like a lot of people use it. Why? The README says it emulates stream4 flushing of reassembled packets but I still do not know what this means. Thx. --GuiseIt's really only good for testing against pcaps, in that consistent results can be gotten on multiple runs since the flush points will be the same each time and hence segmented streams will always be reassembled the same way. Note that stream will gather segments, handle overlaps and such, then at some point "reassemble" those segments and send that packet through the preprocessors and detection engine. I would recommend not using "use_static_footprint_sizes" in a production environment, since you don't want to give an attacker a chance to segment a stream such that the segments of an attack will span flush points. Maybe not easy for an attacker to do, but still good to randomize the flush points here.------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- stream5 and use_static_footprint_sizes Guise McAllaster (Dec 07)
- Re: stream5 and use_static_footprint_sizes Todd Wease (Dec 07)
- Re: stream5 and use_static_footprint_sizes Guise McAllaster (Dec 08)
- Re: stream5 and use_static_footprint_sizes Matt Olney (Dec 08)
- Re: stream5 and use_static_footprint_sizes Brian Caswell (Dec 08)
- Re: stream5 and use_static_footprint_sizes Matt Olney (Dec 08)
- Re: stream5 and use_static_footprint_sizes Guise McAllaster (Dec 08)
- Re: stream5 and use_static_footprint_sizes Todd Wease (Dec 07)