Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: What is the relationship between flow: and stream4_reassemble?

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Sun, 09 Jan 2005 12:14:56 +1300
Brian Caswell wrote:
It works just as you would expect. flow only checks tcp state. tcp state is tracked on all tcp ports. TCP streams are reassembled only on the ports listed in stream4_reassemble.
OK, then what is stream4* preprocessors used for WRT rules? I know there are bunch of internal "rules" - if you like - within the preprocessors themselves (which I mainly end up disabling on our network ;-) - are real rules impacted by these preprocessors?
e.g. does it mean that if you have a rule that needs to look for content that may cross a packet boundary, then it will fail unless that port is listed in stream4_reassemble? 

Thanks!

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: