[Snort-devel] noinspect parameter in stream4

Steven Sturges steve.sturges at ...402...
Tue Aug 14 16:00:18 EDT 2007


flow requires stream4 (or Stream5).  Should not require flow.

flowbits requires flow (or Stream5 + tracking for TCP/UDP, depending on
rule protocol).

snort user wrote:
> Thanks for the reply.
> 
> I see, the "flow:" rule option requires TCP state tracking. Does it
> require flow preprocessor also ?
> 
> How about "flowbits:" option ? Does that depend on stream4 or flow or both ?
> 
> - Thanks
> 
> 
> On 8/14/07, Steven Sturges <steve.sturges at ...402...> wrote:
>> No, flow does not depend on stream4... They were both maintaining
>> their own data structures for flows/sessions.
>>
>> However, the flow:established,to_server etc options relate to
>> TCP state tracking.
>>
>> Cheers.
>> -steve
>>
>> snort user wrote:
>>> Is the flow preprocessor depending on stream4 ? (spp_flow.c and
>>> everything in flow/ )
>>>
>>> I was trying to find the link/dependency and could not find it -
>>> looked like flow was
>>> maintaining it's own data structure and all.
>>>
>>> Any information on this is much appreciated.
>>>
>>> -Thanks
>>>
>>> On 8/13/07, Steven Sturges <steve.sturges at ...402...> wrote:
>>>> It disables stateful inspection for ports that are not listed in the
>>>> reassemble list... So, for any rules that use flow:to_server, etc
>>>> options, they will not trigger unless the port is in the list for
>>>> reassembly.
>>>>
>>>> Cheers.
>>>> -steve
>>>>
>>>> snort user wrote:
>>>>> Greetings
>>>>>
>>>>> I have a question with the stream4 preprocessor. I hope someone can
>>>>> answer it even though stream4 is getting obsolete.
>>>>>
>>>>> If I specify noinspect in the stream4 config, it should disable
>>>>> stateful inspection altogether
>>>>> for all ports ?
>>>>> or it will disable stateful inspection for ports not listed in the
>>>>> stream4_reassemble list?
>>>>>
>>>>> Thanks
>>>>>
>>>>> -------------------------------------------------------------------------
>>>>> This SF.net email is sponsored by: Splunk Inc.
>>>>> Still grepping through log files to find problems?  Stop.
>>>>> Now Search log events and configuration files using AJAX and a browser.
>>>>> Download your FREE copy of Splunk now >>  http://get.splunk.com/
>>>>> _______________________________________________
>>>>> Snort-devel mailing list
>>>>> Snort-devel at lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>>>
>>> -------------------------------------------------------------------------
>>> This SF.net email is sponsored by: Splunk Inc.
>>> Still grepping through log files to find problems?  Stop.
>>> Now Search log events and configuration files using AJAX and a browser.
>>> Download your FREE copy of Splunk now >>  http://get.splunk.com/
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list