Snort mailing list archives
Re: Understanding flow options (no_stream|only_stream) (no_frag|only_frag)
From: Damian Torres via Snort-users <snort-users () lists snort org>
Date: Thu, 3 Aug 2017 10:30:40 -0400
Albert, No, I had not looked at the README.stream5 file. There was a lot of useful information in there, so thank you for mentioning that!
From the README.stream5, "The Stream preprocessor is a target-based TCP
reassembly module for Snort. It replaces both the Stream5 and the earlier Stream4 and flow preprocessors, and it is capable of tracking sessions for both TCP and UDP." So now, in addition to the two questions I had before, I have the following questions: 3.) Are flow:established,to_server,no_stream; and stream_reassemble:disable,client; essentially the same? If not, how are they different? (may tie in with #5). 4.) I assume that if I use stream_reassemble option, I cannot use flow in the same rule? 5.) What are the pros/cons of using flow vs stream_reassemble? Warm Regards, -Damian On Wed, Aug 2, 2017 at 4:33 PM, Al Lewis (allewi) <allewi () cisco com> wrote:
Have you looked at the README.stream5 file? Its located under the doc folder of the snort download. *Albert Lewis* ENGINEER.SOFTWARE ENGINEERING SOURCE*fire*, Inc. now part of *Cisco* Email: allewi () cisco com From: Snort-users <snort-users-bounces () lists snort org> on behalf of Damian Torres via Snort-users <snort-users () lists snort org> Reply-To: Damian Torres <datorr2 () gmail com> Date: Wednesday, August 2, 2017 at 3:49 PM To: Snort-Users <snort-users () lists snort org> Subject: [Snort-users] Understanding flow options (no_stream|only_stream) (no_frag|only_frag) Good afternoon, all. I've been trying to find more information about the following flow options: no_stream - Do not trigger on rebuilt stream packets (useful for dsize and stream5) only_stream - Only trigger on rebuilt stream packets no_frag - Do not trigger on rebuilt frag packets only_frag - Only trigger on rebuilt frag packets Other than this information that is mentioned in the manual, I can't seem to find anything else about these options. I saw the following snort-devel thread from 2010 where it sounds like there was supposed to be some more information put into the manual: https://lists.snort.org/pipermail/snort-devel/2010-December/008525.html Another confusing thing is, the no_frag|only_frag options don't exist in the Cisco FireSIGHT rule editor. My questions are: 1.) As far as the no_stream option goes, it sounds like all of the payload detection options have to fire on a single packet. Is this correct? 2.) What are the no_frag|only_frag options used for? The only "fragmentation" that I am aware of occurs in IP, and "flow" seems like it only pertains to TCP. Thank you. Warm Regards, -Damian
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Understanding flow options (no_stream|only_stream) (no_frag|only_frag) Damian Torres via Snort-users (Aug 02)
- Re: Understanding flow options (no_stream|only_stream) (no_frag|only_frag) Al Lewis (allewi) via Snort-users (Aug 02)
- Re: Understanding flow options (no_stream|only_stream) (no_frag|only_frag) Damian Torres via Snort-users (Aug 03)
- Re: Understanding flow options (no_stream|only_stream) (no_frag|only_frag) Al Lewis (allewi) via Snort-users (Aug 02)