Re: [snort-users] Stream5 doesn't take into account every TCP segment

[Emiliano Fausto <emiliano.fausto () gmail com>]

Update: I've been doing some more testing, and I could notice that:

1) The if condition: myPacket->flags && FLAG_REBUILT_STREAM is True for:
        * The packet belongs to a segment which should be reassembled
        * The packet is complete without a reassembly
2) The problem actually isn't that the Stream5 isn't activating the
FLAG_REBUILT_STREAM, but that the packet->payload is not the reassembled
packet with all the packets PDUs reassembled, but just the last one

Does anyone know if there's any kind of variable which has the reassembled
packet?

Thanks in advance,
Emiliano.


2013/12/9 Emiliano Fausto <emiliano.fausto () gmail com>

> Hello everyone,
>
> I have the Stream5 preprocessor working (thanks to Hui from the
> developer's team), but for some reason it's not taking into account every
> TCP segment.
>
> Therefore, it's just reassembling some TCP segmented stream, but not all
> of it.
>
> I'm using Wireshark with the option to reassembly TCP, and it shows
> correctly two packets reassembled. While the Stream5 preprocessor doesn't
> take them into account to reassemble them.
>
> I reviewed once and again the Stream5 options documentation in the
> Stream5.README, I don't know what could be going on.
>
> Here is the configuration I set for the preprocessor:
>
> config pax_max: 16000
> preprocessor stream5_global: track_tcp yes, \
>     track_udp no, \
>     track_icmp no, \
>     max_tcp 262144, \
>     max_active_responses 2, \
>     min_response_seconds 5
> preprocessor stream5_tcp: policy linux, \
>     overlap_limit 0, timeout 180, \
>     ports both 3200
>
> And I'm running a dynamic preprocessor of mine which takes every
> reassembled packet into account and just print a line:
>
> if ((SFSnortPacket*) mypacket->flags & FLAG_REBUILT_STREAM)
>       _dpd.logMsg("A reassembled packet was received.\n");
>
> But it's just being triggered sometimes, but not always, and as I can see
> in the wireshar, there are several rebuilt streams.
>
> Just in case, I'm running the SNORT process with option "-k none".
>
> Thanks in advance,
> Emiliano.
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!