Re: Understanding flow options (no_stream|only_stream) (no_frag|only_frag)

[Damian Torres via Snort-users <snort-users () lists snort org>]

Albert,


No, I had not looked at the README.stream5 file.  There was a lot of useful
information in there, so thank you for mentioning that!

> From the README.stream5, "The Stream preprocessor is a target-based TCP
reassembly module for Snort.  It replaces both the Stream5 and the earlier
Stream4 and flow preprocessors, and it is capable of tracking sessions for
both TCP and UDP."

So now, in addition to the two questions I had before, I have the following
questions:

3.) Are flow:established,to_server,no_stream; and
stream_reassemble:disable,client; essentially the same?  If not, how are
they different? (may tie in with #5).
4.) I assume that if I use stream_reassemble option, I cannot use flow in
the same rule?
5.) What are the pros/cons of using flow vs stream_reassemble?


Warm Regards,
-Damian


On Wed, Aug 2, 2017 at 4:33 PM, Al Lewis (allewi) <allewi () cisco com> wrote:

> Have you looked at the README.stream5 file?
>
> Its located under the doc folder of the snort download.
>
>
> *Albert Lewis*
>
> ENGINEER.SOFTWARE ENGINEERING
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> Email: allewi () cisco com
>
> From: Snort-users <snort-users-bounces () lists snort org> on behalf of
> Damian Torres via Snort-users <snort-users () lists snort org>
> Reply-To: Damian Torres <datorr2 () gmail com>
> Date: Wednesday, August 2, 2017 at 3:49 PM
> To: Snort-Users <snort-users () lists snort org>
> Subject: [Snort-users] Understanding flow options (no_stream|only_stream)
> (no_frag|only_frag)
>
> Good afternoon, all.
>
>
> I've been trying to find more information about the following flow options:
>
> no_stream - Do not trigger on rebuilt stream packets (useful for dsize and
> stream5)
> only_stream - Only trigger on rebuilt stream packets
> no_frag - Do not trigger on rebuilt frag packets
> only_frag - Only trigger on rebuilt frag packets
>
> Other than this information that is mentioned in the manual, I can't seem
> to find anything else about these options.  I saw the following snort-devel
> thread from 2010 where it sounds like there was supposed to be some more
> information put into the manual:
>
> https://lists.snort.org/pipermail/snort-devel/2010-December/008525.html
>
> Another confusing thing is, the no_frag|only_frag options don't exist in
> the Cisco FireSIGHT rule editor.
>
>
> My questions are:
> 1.) As far as the no_stream option goes, it sounds like all of the payload
> detection options have to fire on a single packet.  Is this correct?
> 2.) What are the no_frag|only_frag options used for?  The only
> "fragmentation" that I am aware of occurs in IP, and "flow" seems like it
> only pertains to TCP.
>
>
> Thank you.
>
>
> Warm Regards,
> -Damian
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!