Snort mailing list archives

Re: Stream5 and File preprocessor

From: "Hui Cao (huica)" <huica () cisco com>
Date: Tue, 27 May 2014 15:07:57 +0000

File preprocessor does require stream. It processes data that are reassembled by stream, so stream5 configuration might 
impact on file processing. File size is controlled by file type depth or file signature depth. Stream5 memcap or max 
queue bytes only impacts how much file data that are buffered. You can have file size larger that memcap and max queued 
bytes. If the file is large,  many reassembled packets will be processed. For pruned/purged sessions, data will be 
flushed and processed.

Best,
Hui.
From: NIDS TEAM <nidsteam () gmail com<mailto:nidsteam () gmail com>>
Date: Tuesday, May 27, 2014 at 4:42 AM
To: "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () lists 
sourceforge net<mailto:snort-users () lists sourceforge net>>
Subject: [Snort-users] Stream5 and File preprocessor

Hi

How are the Stream5 and File preprocessor related to each other?

- In case I'd like to extract files from a TCP stream: Will I only be able to extract files which are smaller than the 
Stream5 memcap, max_queued_bytes, etc?
- Stream5 will reassemble the traffic and then basically send the entire file at once to the file preprocessor?
- What happens to purged/pruned Stream5 sessions? Will the already reassembled part still be sent to the following 
preprocessors or will it just be deleted?

Thanks for your replies
guh

------------------------------------------------------------------------------
The best possible search technologies are now affordable for all companies.
Download your FREE open source Enterprise Search Engine today!
Our experts will assist you in its installation for $59/mo, no commitment.
Test it for FREE on our Cloud platform anytime!
http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Stream5 and File preprocessor NIDS TEAM (May 27)
- Re: Stream5 and File preprocessor Hui Cao (huica) (May 27)