Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: stream4's new config

From: Jason Brvenik <jasonb () sourcefire com>
Date: Fri, 18 Nov 2005 09:47:44 -0500


zhaohui yin wrote:

while i read the snort source, I found some new config the stream4
preprocessor had support ,but those config can't find any description
in the manual.

preprocessor stream4:midstream_drop_alerts


Should sessions that appear to not be fully established but have
alertable data be raised to the user or not. In general the answer would
be no ( Think stateless user DoS ) but if you want to see events that
would be generated then set this config option.



preprocessor stream4_reassemble:  flush_behavior < default| random |
large_window >,flush_seed <seed>,flush_base <base>,flush_range <range>


These config options control the boundaries that the stream preprocessor
flushes reassembled data on. The options are documented in the default
snort.conf with relevant bits copied here.

#   flush_behavior [mode] -
#           default      - use old static flushpoints (default)
#           large_window - use new larger static flushpoints
#           random       - use random flushpoints defined by flush_base,
#                          flush_seed and flush_range
#   flush_base [number] - lowest allowed random flushpoint (512 by default)
#   flush_range [number] - number is the space within which random
flushpoints are generated (default 1213)
#   flush_seed [number] - seed for the random number generator, defaults
to Snort PID + time






who can tell the above config's means.
--
yinzhaohui


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id845&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users




-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: