Snort mailing list archives
Re: Stream5 reassembly
From: Parag Pote <pipsparag () yahoo com>
Date: Tue, 1 Jun 2010 03:05:35 -0700 (PDT)
So Joel, Does this mean when somebody fetch HTTP page reassembly module assemble the complete HTTP page in a buffer, scan for signatures on whole data? If the page is OK, flush the complete data? Parag --- On Mon, 5/31/10, Joel Esler <jesler () sourcefire com> wrote:
From: Joel Esler <jesler () sourcefire com> Subject: Re: [Snort-users] Stream5 reassembly To: "Parag Pote" <pipsparag () yahoo com> Cc: "Patrick Billings" <pbillings () sourcefire com>, "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Date: Monday, May 31, 2010, 11:24 AM It is mandatory if you want to detect anything. The ports are simply the ports we are reassembling on for the ruleset, you can always add more. -- Joel Esler Sent from my iPhone On May 31, 2010, at 8:04 AM, Parag Pote <pipsparag () yahoo com> wrote:Thanks Joel. But I guess since it is configure only for somespecific ports it isnot mandatory, right? Rgds, Parag --- On Mon, 5/31/10, Joel Esler <jesler () sourcefire com>wrote:From: Joel Esler <jesler () sourcefire com> Subject: Re: [Snort-users] Stream5 reassembly To: "Parag Pote" <pipsparag () yahoo com> Cc: "Patrick Billings" <pbillings () sourcefire com>,"snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Date: Monday, May 31, 2010, 7:31 AM This is something that is necessary for the proper intended operation of Snort, yes. -- Sent from my iPad Joel Esler 302-223-5974 Jabber:jesler () sourcefire com On May 31, 2010, at 7:09 AM, Parag Pote <pipsparag () yahoo com> wrote:Thanks patrick. But I didn't hear you saying if it ismandatory or canwe ignore it? Is it just an added feature?Parag --- On Mon, 5/31/10, Patrick Billings <pbillings () sourcefire com>wrote:From: Patrick Billings <pbillings () sourcefire com> Subject: Re: [Snort-users] Stream5reassemblyTo: "Parag Pote" <pipsparag () yahoo com> Cc: snort-users () lists sourceforge net Date: Monday, May 31, 2010, 3:34 AM Hi- The ports option which can be configuredas portsclient |server | both is needed to set which ports thepreprocessorwillperform stream re-assembly on. For example, if you are wanting tore-assemble thetrafficto your webserver, then you would want to checkfor port80 forhttp(tcp) traffic but you may not care not beconcernedabout theport the browser is using, as it will be a randomport.The default setting is: ports client21 2325 42 5380 110 111 135 136 137 139 143 445 513 514 14331521 24013306HTH, Patrick On Mon, May 31, 2010 at 1:31 PM, ParagPote <pipsparag () yahoo com>wrote:Hi, What does ports (ports client andports both)means instream5 preprocessor? Just had a glance atthecode and itsays it does reassembly when we configurethisoption. Justwanted to know is it mandatory toconfigure it oroptionalone? If we do not configure do we missanyfunctionality?Rgds, Parag--- --- ------------------------------------------------------------------------_______________________________________________Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user optionsorunsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users--- --- ------------------------------------------------------------------------_______________________________________________Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Stream5 reassembly Parag Pote (May 30)
- Re: Stream5 reassembly Patrick Billings (May 31)
- Re: Stream5 reassembly Parag Pote (May 31)
- Re: Stream5 reassembly Joel Esler (May 31)
- Re: Stream5 reassembly Parag Pote (May 31)
- Re: Stream5 reassembly Joel Esler (May 31)
- Re: Stream5 reassembly Parag Pote (Jun 01)
- Re: Stream5 reassembly Patrick Billings (Jun 01)
- Re: Stream5 reassembly Joel Esler (Jun 01)
- Re: Stream5 reassembly Parag Pote (May 31)
- Re: Stream5 reassembly Patrick Billings (May 31)