Snort mailing list archives
Re: What is the relationship between flow: and stream4_reassemble?
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Mon, 10 Jan 2005 10:57:07 +1300
Brian Caswell wrote:
On Jan 8, 2005, at 6:14 PM, Jason Haar wrote:e.g. does it mean that if you have a rule that needs to look for content that may cross a packet boundary, then it will fail unless that port is listed in stream4_reassemble?yes.
Isn't that serious? I mean: egrep "^alert tcp .* any -> .* any .*content:" /etc/snort/rules/*rules|wcshows 64 rules that match - so they will not reliably work unless the ports used just *happen* to match those listed by stream4_reassemble?
[Actually, "reliably" is the wrong word - "consistently" would be a better choice]
So standard fragmentation attacks would bypass these rules?Shouldn't Snort default to setting stream4_reassemble to reassemble ALL ports - to remedy this? I appreciate this would seriously affect performance - but isn't this a fundamental design issue? It appears to be that the default state of Snort is that the official rules do not consistently catch events due to this preprocessor setting. The documentation could state that better performance could be gained by going back to a fixed number of ports - but that would mean a loss in capability to handle fragmentation events/etc. Or at least have commented out lines like:
# If you want to be sure you are reconstructing all packets so as to ensure all the rules
#trigger even on fragmented streams, you should enable "ports all" instead. #Note that this will have a serious performance impact. #preprocessor stream4_reassemble ports all Jason ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What is the relationship between flow: and stream4_reassemble? Jason Haar (Jan 07)
- Re: What is the relationship between flow: and stream4_reassemble? Brian Caswell (Jan 08)
- Re: What is the relationship between flow: and stream4_reassemble? Jason Haar (Jan 08)
- Re: What is the relationship between flow: and stream4_reassemble? Brian Caswell (Jan 09)
- Re: What is the relationship between flow: and stream4_reassemble? Jason Haar (Jan 09)
- Re: What is the relationship between flow: and stream4_reassemble? Jason Haar (Jan 08)
- Re: What is the relationship between flow: and stream4_reassemble? Brian Caswell (Jan 08)
- <Possible follow-ups>
- Re: What is the relationship between flow: and stream4_reassemble? M. Shirk (Jan 10)