[Snort-devel] Config Stateful Issue

Brian Caswell bmc at ...835...
Sun Feb 12 14:17:02 EST 2006


On Feb 10, 2006, at 5:13 PM, Steven Sturges wrote:
> I'm all in favor of removing config stateful entirely,
> because it has added all sorts of confusion with the
> addition of the enforce_state (a while ago, mind you) to
> Stream4.

"config stateful" has always been dumb.  I voiced that complaint many  
years ago.  As per Snort's manual, using "config stateful" or the -z  
command line option has been superseded by "flow:established;" since  
2.1.1.

The implementation of "enforce_state" leaves much to be desired.  The  
idea is to disregard sessions that Snort doesn't see the complete  
session.  While this feature protects Snort's performance in harsh  
deployments, it alters how rules are processed in a manor that it  
should not.  The following rule, as written, should match all TCP  
packets, regardless of state of a session.

	alert tcp any any -> any any (content:"bmc is awesome";)

However, using "enforce_state", as documented earlier in this thread,  
does not.

As I see it, this is not really a voting matter.  One side of the  
house induces a side-effect that breaks rules as written, whilst the  
other does not.

BTW, some might say "flow" and "uricontent" also exhibit the same  
behavior, however these keywords have inherent prerequisites.

Brian




More information about the Snort-devel mailing list