Snort mailing list archives
Re: Stream5 reassembly
From: Patrick Billings <pbillings () sourcefire com>
Date: Tue, 1 Jun 2010 19:13:43 +0800
Hi- Yes it will do this if you have selected the setting of ports server. Typically client requests are small, lightweight, and usually the client request is the request that would carry a malicious payload. Default is ports client Patrick On Tue, Jun 1, 2010 at 6:05 PM, Parag Pote <pipsparag () yahoo com> wrote:
So Joel, Does this mean when somebody fetch HTTP page reassembly module assemble the complete HTTP page in a buffer, scan for signatures on whole data? If the page is OK, flush the complete data? Parag --- On Mon, 5/31/10, Joel Esler <jesler () sourcefire com> wrote:From: Joel Esler <jesler () sourcefire com> Subject: Re: [Snort-users] Stream5 reassembly To: "Parag Pote" <pipsparag () yahoo com> Cc: "Patrick Billings" <pbillings () sourcefire com>, "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Date: Monday, May 31, 2010, 11:24 AM It is mandatory if you want to detect anything. The ports are simply the ports we are reassembling on for the ruleset, you can always add more. -- Joel Esler Sent from my iPhone On May 31, 2010, at 8:04 AM, Parag Pote <pipsparag () yahoo com> wrote:Thanks Joel. But I guess since it is configure only for somespecific ports it isnot mandatory, right? Rgds, Parag --- On Mon, 5/31/10, Joel Esler <jesler () sourcefire com>wrote:From: Joel Esler <jesler () sourcefire com> Subject: Re: [Snort-users] Stream5 reassembly To: "Parag Pote" <pipsparag () yahoo com> Cc: "Patrick Billings" <pbillings () sourcefire com>,"snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Date: Monday, May 31, 2010, 7:31 AM This is something that is necessary for the proper intended operation of Snort, yes. -- Sent from my iPad Joel Esler 302-223-5974 Jabber:jesler () sourcefire com On May 31, 2010, at 7:09 AM, Parag Pote <pipsparag () yahoo com> wrote:Thanks patrick. But I didn't hear you saying if it ismandatory or canwe ignore it? Is it just an added feature?Parag --- On Mon, 5/31/10, Patrick Billings <pbillings () sourcefire com>wrote:From: Patrick Billings <pbillings () sourcefire com> Subject: Re: [Snort-users] Stream5reassemblyTo: "Parag Pote" <pipsparag () yahoo com> Cc: snort-users () lists sourceforge net Date: Monday, May 31, 2010, 3:34 AM Hi- The ports option which can be configuredas portsclient |server | both is needed to set which ports thepreprocessorwillperform stream re-assembly on. For example, if you are wanting tore-assemble thetrafficto your webserver, then you would want to checkfor port80 forhttp(tcp) traffic but you may not care not beconcernedabout theport the browser is using, as it will be a randomport.The default setting is: ports client21 2325 42 5380 110 111 135 136 137 139 143 445 513 514 14331521 24013306HTH, Patrick On Mon, May 31, 2010 at 1:31 PM, ParagPote <pipsparag () yahoo com>wrote:Hi, What does ports (ports client andports both)means instream5 preprocessor? Just had a glance atthecode and itsays it does reassembly when we configurethisoption. Justwanted to know is it mandatory toconfigure it oroptionalone? If we do not configure do we missanyfunctionality?Rgds, Parag--- --- ------------------------------------------------------------------------_______________________________________________Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user optionsorunsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users--- --- ------------------------------------------------------------------------_______________________________________________Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Stream5 reassembly Parag Pote (May 30)
- Re: Stream5 reassembly Patrick Billings (May 31)
- Re: Stream5 reassembly Parag Pote (May 31)
- Re: Stream5 reassembly Joel Esler (May 31)
- Re: Stream5 reassembly Parag Pote (May 31)
- Re: Stream5 reassembly Joel Esler (May 31)
- Re: Stream5 reassembly Parag Pote (Jun 01)
- Re: Stream5 reassembly Patrick Billings (Jun 01)
- Re: Stream5 reassembly Joel Esler (Jun 01)
- Re: Stream5 reassembly Parag Pote (May 31)
- Re: Stream5 reassembly Patrick Billings (May 31)