Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Trivial question

From: Reinoud Koornstra <sockstat () hotmail com>
Date: Thu, 12 Sep 2013 20:48:17 +0000
Ok, so i noticed even when i do active ftp and add port 20 to the stream5 config, no reassembly takes place.

However, when i put the following rule in action:

 

alert tcp any any -> any 20 (msg:"Attempting FTP streaming enabling"; stream_reassemble:enable,both; sid:61245; rev:1;)

 

Then it does reassembly and i see packet sizes of

 

1824, 1904 , 2360 , 2496 , 2776 , 2816 

 

when i use active ftp.
 



Date: Thu, 12 Sep 2013 16:22:09 -0400
Subject: Re: [Snort-devel] Trivial question
From: rcombs () sourcefire com
To: sockstat () hotmail com
CC: snort-devel () lists sourceforge net


Yes.  What matters is whether you are in IPS mode or not.  That can be done with a pcap too.




On Thu, Sep 12, 2013 at 4:19 PM, Reinoud Koornstra <sockstat () hotmail com> wrote:



Ok, thanks.
Does this also hold for snort reading a pcap containing an ftp session?

 




Date: Thu, 12 Sep 2013 15:50:21 -0400
Subject: Re: [Snort-devel] Trivial question
From: rcombs () sourcefire com
To: sockstat () hotmail com
CC: snort-devel () lists sourceforge net




Snort reassembles different protocols differently.  The 17K number is close to the paf_max default of 16K.  PDUs 
(protocol data units like an HTTP response) larger than paf_max are truncated into paf_max blocks for processing by 
Snort.  The FTP data channel does not get reassembled in that fashion.  Simplifying things, in inline IPS mode, it will 
reassemble every 2 data segments.  Otherwise, every 2 or more acknowledged data segments, upon acknowledgement.  
Typically this will be around 2*1460 = 2920 bytes.

So, based on the limited info in your question, the answer is yes, that is correct.




On Wed, Sep 11, 2013 at 3:17 PM, Reinoud Koornstra <sockstat () hotmail com> wrote:



Dear Everyone,
 
When i run http traffic through snort, while snort is in inline mode and monitoring the sizeo of the packets, I see 
that every 4 of more full mtu packets a packet of 17k bytes is being processed by snort. I am seeing this with most 
kind of traffic, but not with ftp.
Is that correct or not?
Thanks,
 
Reinoud.

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!


                                          
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: