Snort mailing list archives

Regarding Stream6 preprocessor

From: Sherlock Holmes <sherlockholmessh56 () gmail com>
Date: Wed, 3 May 2017 17:25:24 +0530

Hello Snort aficionados,

I have a few questions on the Stream6 preprocessor. I'm a complete newbie
and i hope you'll pardon my ignorance. Also, this is my first query to the
open source community. I am not sure of the etiquette followed. I'm all
ears.

I understand the intent of this input plugin. It is needed for TCP
reassembly, among other things.

1. Would it be possible to bypass this preprocessor altogether for TCP
traffic if it is absolutely certain that snort will always receive in-order
TCP segments with no overlap ( i won't get into how that is possible now ) ?

2. Here is the code flow:

StreamProcess()
    StreamProcessTcp()
        ProcessTcp()
            ProcessTcpData()
                 ProcessTcpStream()
                      StreamQueue()/NewQueue()
                            AddStreamNode()  ---- Internally does a calloc
of 'StreamSegment'.
        CheckFlushPolicyOnData() -----|
        CheckFlushPolicyOnAck()----These two checks are for the PAF and to
do a 'flush'.

If I were to skip CheckFlushPolicyOnAck(), would that effect in any dire
ramifications?

3. 'Packet' is snort's abstraction of a packet, like we have sk_buff in
Linux Kernel and mbuf in FreeBSD. So what is the intent of doing another
calloc of 'StreamSegment' for every packet, when we already have the
'Packet' structure? This 'StreamSegment' is again merged into 'Packet' when
doing a flush.


4. Flushing happens in a do-while loop in  _flush_to_seq(). It is
specifically this code chunk within the do-while that sends the packet
further:

_flush_to_seq() {
.
.
            SnortEventqPush();
            Preprocess(s5_pkt);
            SnortEventqPop();

.
.

}
A call to Preprocess sends the packet to the next preprocessor. So, if the
flush were to happen after 5 'StreamSegment's were queued , does it mean
that the 'Packet' that gets forwarded ( for instance, FlushStream() builds
the packet from StreamSegments ) is a single one in lieu of 5?


Would highly appreciate any inputs. Thanks for your time.

Much obliged,
- S

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Regarding Stream6 preprocessor Sherlock Holmes (May 03)
- Re: Regarding Stream6 preprocessor Russ (May 05)