Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: flow:established still broken in 2.9.0.5?

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Thu, 30 Jun 2011 10:12:33 +1200
On 30/06/11 09:33, Russ Combs wrote:


depth:2 applies to the current packet (raw or reassembled).  It is not
a depth from beginning of stream.


Ahhh! the penny drops - so it should be expected to get FPs due to this
then? Shouldn't there be a "streamdepth:" option then? Almost all TCP
protocols are defined by their first few bytes, so checking only the
beginning of a stream should improve things for many rules? I have
routinely seen FPs caused by this with SSL and ZIP/compressed data flows
- almost all would be removed if there was a "streamdepth" sort of option.

(I've just checked the manual and indeed "depth" is only about packets,
not streams - and yet all the "tcp_stream" options in snort had lead me
to believe it did something more precise - my mistake :-)

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation
Previous By Date Next
Previous By Thread Next

Current thread: