[Snort-devel] Config Stateful Issue
bmc at ...835...
Sun Feb 12 14:17:02 EST 2006
On Feb 10, 2006, at 5:13 PM, Steven Sturges wrote:
> I'm all in favor of removing config stateful entirely,
> because it has added all sorts of confusion with the
> addition of the enforce_state (a while ago, mind you) to
"config stateful" has always been dumb. I voiced that complaint many
years ago. As per Snort's manual, using "config stateful" or the -z
command line option has been superseded by "flow:established;" since
The implementation of "enforce_state" leaves much to be desired. The
idea is to disregard sessions that Snort doesn't see the complete
session. While this feature protects Snort's performance in harsh
deployments, it alters how rules are processed in a manor that it
should not. The following rule, as written, should match all TCP
packets, regardless of state of a session.
alert tcp any any -> any any (content:"bmc is awesome";)
However, using "enforce_state", as documented earlier in this thread,
As I see it, this is not really a voting matter. One side of the
house induces a side-effect that breaks rules as written, whilst the
other does not.
BTW, some might say "flow" and "uricontent" also exhibit the same
behavior, however these keywords have inherent prerequisites.
More information about the Snort-devel