Re: Stream5 reassembly

[Patrick Billings <pbillings () sourcefire com>]

Hi-

Yes it will do this if you have selected the setting of ports server.
Typically client requests are small, lightweight, and usually the
client request is the request that would carry a malicious payload.

Default is ports client

Patrick

On Tue, Jun 1, 2010 at 6:05 PM, Parag Pote <pipsparag () yahoo com> wrote:
> So Joel, Does this mean when somebody fetch HTTP page reassembly module assemble the complete HTTP page in a buffer, 
> scan for signatures on whole data? If the page is OK, flush the complete data?
>
> Parag
>
> --- On Mon, 5/31/10, Joel Esler <jesler () sourcefire com> wrote:
>
> > From: Joel Esler <jesler () sourcefire com>
> > Subject: Re: [Snort-users] Stream5 reassembly
> > To: "Parag Pote" <pipsparag () yahoo com>
> > Cc: "Patrick Billings" <pbillings () sourcefire com>, "snort-users () lists sourceforge net" <snort-users () lists 
> > sourceforge net>
> > Date: Monday, May 31, 2010, 11:24 AM
> > It is mandatory if you want to detect
> > anything.  The ports are simply
> > the ports we are reassembling on for the ruleset, you can
> > always add
> > more.
> >
> > --
> > Joel Esler
> > Sent from my iPhone
> >
> > On May 31, 2010, at 8:04 AM, Parag Pote <pipsparag () yahoo com>
> > wrote:
> >
> > > Thanks Joel.
> > >
> > > But I guess since it is configure only for some
> > specific ports it is
> > > not mandatory, right?
> > >
> > > Rgds,
> > > Parag
> > >
> > >
> > > --- On Mon, 5/31/10, Joel Esler <jesler () sourcefire com>
> > wrote:
> > > > From: Joel Esler <jesler () sourcefire com>
> > > > Subject: Re: [Snort-users] Stream5 reassembly
> > > > To: "Parag Pote" <pipsparag () yahoo com>
> > > > Cc: "Patrick Billings" <pbillings () sourcefire com>,
> > "snort-users () lists sourceforge net
> >
> > > > " <snort-users () lists sourceforge net>
> > > > Date: Monday, May 31, 2010, 7:31 AM
> > > > This is something that is necessary
> > > > for the proper intended operation of Snort, yes.
> > > >
> > > > --
> > > > Sent from my iPad
> > > > Joel Esler
> > > > 302-223-5974
> > > > Jabber:jesler () sourcefire com
> > > >
> > > > On May 31, 2010, at 7:09 AM, Parag Pote <pipsparag () yahoo com>
> > > > wrote:
> > > >
> > > > > Thanks patrick.
> > > > >
> > > > > But I didn't hear you saying if it is
> > mandatory or can
> > > > we ignore it? Is it just an added feature?
> > > > > Parag
> > > > >
> > > > > --- On Mon, 5/31/10, Patrick Billings <pbillings () sourcefire com>
> > > > wrote:
> > > > > > From: Patrick Billings <pbillings () sourcefire com>
> > > > > > Subject: Re: [Snort-users] Stream5
> > reassembly
> > > > > > To: "Parag Pote" <pipsparag () yahoo com>
> > > > > > Cc: snort-users () lists sourceforge net
> > > > > > Date: Monday, May 31, 2010, 3:34 AM
> > > > > > Hi-
> > > > > >
> > > > > > The ports option which can be configured
> > as ports
> > > > client |
> > > > > > server |
> > > > > > both is needed to set which ports the
> > preprocessor
> > > > will
> > > > > > perform stream
> > > > > > re-assembly on.
> > > > > >
> > > > > > For example, if you are wanting to
> > re-assemble the
> > > > traffic
> > > > > > to your
> > > > > > webserver, then you would want to check
> > for port
> > > > 80 for
> > > > > > http(tcp)
> > > > > > traffic but you may not care not be
> > concerned
> > > > about the
> > > > > > port the
> > > > > > browser is using, as it will be a random
> > port.
> > > > > > The default setting is:  ports client
> > 21 23
> > > > 25 42 53
> > > > > > 80 110 111 135
> > > > > > 136  137 139 143 445 513 514 1433
> > 1521 2401
> > > > 3306
> > > > > > HTH,
> > > > > >
> > > > > > Patrick
> > > > > >
> > > > > > On Mon, May 31, 2010 at 1:31 PM, Parag
> > Pote <pipsparag () yahoo com>
> > > > > > wrote:
> > > > > > > Hi,
> > > > > > >
> > > > > > > What does ports (ports client and
> > ports both)
> > > > means in
> > > > > > stream5 preprocessor? Just had a glance at
> > the
> > > > code and it
> > > > > > says it does reassembly when we configure
> > this
> > > > option. Just
> > > > > > wanted to know is it mandatory to
> > configure it or
> > > > optional
> > > > > > one? If we do not configure do we miss
> > any
> > > > functionality?
> > > > > > > Rgds,
> > > > > > > Parag
> > > > ---
> > > > ---
> > > > ---
> > ---------------------------------------------------------------------
> > > > > > >
> > > > _______________________________________________
> > > > > > > Snort-users mailing list
> > > > > > > Snort-users () lists sourceforge net
> > > > > > > Go to this URL to change user options
> > or
> > > > unsubscribe:
> > > > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > > Snort-users list archive:
> > > > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > > ---
> > > > ---
> > > > ---
> > ---------------------------------------------------------------------
> > > > >
> > _______________________________________________
> > > > > Snort-users mailing list
> > > > > Snort-users () lists sourceforge net
> > > > > Go to this URL to change user options or
> > unsubscribe:
> > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > Snort-users list archive:
> > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users