Understanding flow options (no_stream|only_stream) (no_frag|only_frag)

[Damian Torres via Snort-users <snort-users () lists snort org>]

Good afternoon, all.


I've been trying to find more information about the following flow options:

no_stream - Do not trigger on rebuilt stream packets (useful for dsize and
stream5)
only_stream - Only trigger on rebuilt stream packets
no_frag - Do not trigger on rebuilt frag packets
only_frag - Only trigger on rebuilt frag packets

Other than this information that is mentioned in the manual, I can't seem
to find anything else about these options.  I saw the following snort-devel
thread from 2010 where it sounds like there was supposed to be some more
information put into the manual:

https://lists.snort.org/pipermail/snort-devel/2010-December/008525.html

Another confusing thing is, the no_frag|only_frag options don't exist in
the Cisco FireSIGHT rule editor.


My questions are:
1.) As far as the no_stream option goes, it sounds like all of the payload
detection options have to fire on a single packet.  Is this correct?
2.) What are the no_frag|only_frag options used for?  The only
"fragmentation" that I am aware of occurs in IP, and "flow" seems like it
only pertains to TCP.


Thank you.


Warm Regards,
-Damian

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!