[Snort-devel] noinspect parameter in stream4

snort user snort.user at ...2499...
Tue Aug 14 15:55:51 EDT 2007


Thanks for the reply.

I see, the "flow:" rule option requires TCP state tracking. Does it
require flow preprocessor also ?

How about "flowbits:" option ? Does that depend on stream4 or flow or both ?

- Thanks


On 8/14/07, Steven Sturges <steve.sturges at ...402...> wrote:
> No, flow does not depend on stream4... They were both maintaining
> their own data structures for flows/sessions.
>
> However, the flow:established,to_server etc options relate to
> TCP state tracking.
>
> Cheers.
> -steve
>
> snort user wrote:
> > Is the flow preprocessor depending on stream4 ? (spp_flow.c and
> > everything in flow/ )
> >
> > I was trying to find the link/dependency and could not find it -
> > looked like flow was
> > maintaining it's own data structure and all.
> >
> > Any information on this is much appreciated.
> >
> > -Thanks
> >
> > On 8/13/07, Steven Sturges <steve.sturges at ...402...> wrote:
> >> It disables stateful inspection for ports that are not listed in the
> >> reassemble list... So, for any rules that use flow:to_server, etc
> >> options, they will not trigger unless the port is in the list for
> >> reassembly.
> >>
> >> Cheers.
> >> -steve
> >>
> >> snort user wrote:
> >>> Greetings
> >>>
> >>> I have a question with the stream4 preprocessor. I hope someone can
> >>> answer it even though stream4 is getting obsolete.
> >>>
> >>> If I specify noinspect in the stream4 config, it should disable
> >>> stateful inspection altogether
> >>> for all ports ?
> >>> or it will disable stateful inspection for ports not listed in the
> >>> stream4_reassemble list?
> >>>
> >>> Thanks
> >>>
> >>> -------------------------------------------------------------------------
> >>> This SF.net email is sponsored by: Splunk Inc.
> >>> Still grepping through log files to find problems?  Stop.
> >>> Now Search log events and configuration files using AJAX and a browser.
> >>> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> >>> _______________________________________________
> >>> Snort-devel mailing list
> >>> Snort-devel at lists.sourceforge.net
> >>> https://lists.sourceforge.net/lists/listinfo/snort-devel
> >>>
> >
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc.
> > Still grepping through log files to find problems?  Stop.
> > Now Search log events and configuration files using AJAX and a browser.
> > Download your FREE copy of Splunk now >>  http://get.splunk.com/
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> >
>




More information about the Snort-devel mailing list