Snort mailing list archives
Re: Understanding flow options (no_stream|only_stream) (no_frag|only_frag)
From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Wed, 2 Aug 2017 20:33:35 +0000
Have you looked at the README.stream5 file? Its located under the doc folder of the snort download. Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of Damian Torres via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort org>> Reply-To: Damian Torres <datorr2 () gmail com<mailto:datorr2 () gmail com>> Date: Wednesday, August 2, 2017 at 3:49 PM To: Snort-Users <snort-users () lists snort org<mailto:snort-users () lists snort org>> Subject: [Snort-users] Understanding flow options (no_stream|only_stream) (no_frag|only_frag) Good afternoon, all. I've been trying to find more information about the following flow options: no_stream - Do not trigger on rebuilt stream packets (useful for dsize and stream5) only_stream - Only trigger on rebuilt stream packets no_frag - Do not trigger on rebuilt frag packets only_frag - Only trigger on rebuilt frag packets Other than this information that is mentioned in the manual, I can't seem to find anything else about these options. I saw the following snort-devel thread from 2010 where it sounds like there was supposed to be some more information put into the manual: https://lists.snort.org/pipermail/snort-devel/2010-December/008525.html Another confusing thing is, the no_frag|only_frag options don't exist in the Cisco FireSIGHT rule editor. My questions are: 1.) As far as the no_stream option goes, it sounds like all of the payload detection options have to fire on a single packet. Is this correct? 2.) What are the no_frag|only_frag options used for? The only "fragmentation" that I am aware of occurs in IP, and "flow" seems like it only pertains to TCP. Thank you. Warm Regards, -Damian
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Understanding flow options (no_stream|only_stream) (no_frag|only_frag) Damian Torres via Snort-users (Aug 02)
- Re: Understanding flow options (no_stream|only_stream) (no_frag|only_frag) Al Lewis (allewi) via Snort-users (Aug 02)
- Re: Understanding flow options (no_stream|only_stream) (no_frag|only_frag) Damian Torres via Snort-users (Aug 03)
- Re: Understanding flow options (no_stream|only_stream) (no_frag|only_frag) Al Lewis (allewi) via Snort-users (Aug 02)