[Snort-devel] Call for Stream5 Testers
steve.sturges at ...402...
Mon Jan 22 17:44:35 EST 2007
With the Snort 2.7.0 Beta1 now available (see www.snort.org for
details!), we wanted to put out a request for beta testers who
will specifically look at Stream5.
Since we are all looking to make Snort better, please let us know
what you are testing. We want to be sure we have as much coverage
Your platform: OS (Windows, FC6, Ubuntu 6.06, etc)
prebuilt or built from src tarball
If built from src, your 'configure' line
Your configuration (snort.conf, rules)
To be an active participant please email us at snort-beta at ...402...
with the above information.
If you have any issues, bugs, concerns, etc, please send the above
information, as well as a traffic capture (pcap/tcpdump format) if
possible so that we can try to reproduce it quickly. And don't forget
that credible bugs lead to Snort goodies!
Here is some additional information specifically relating to
* Stream5 has a series of target-based policies for reassembly
(and handling of various TCP flags, timestamps, etc). You
should disable BOTH Stream4 AND flow preprocessors -- Stream5
is designed to replace both of them. Look at README.stream5 for
specific configuration option details and syntax.
Policies and corresponding OS's are:
Policy Name Operating Systems
bsd FreeBSD, OpenBSD, etc
solaris Solaris 9, Solaris 10
macos Mac OSX, MacOS 10.4
linux Linux Kernel 2.4 & newer
old-linux Linux Kernel 2.2 & earlier
windows Windows 2000, 95, 98, ME, NT, XP
win2003 Windows 2003 Server
vista Windows Vista
irix SGI Irix
Specify the policy name with the policy option and use the bind_to
option to tie that policy to the TCP recipient of that packet.
1)The following example has linux kernels residing on the
192.168.1 network, a solaris host on 126.96.36.199, and all
others (the 'default' policy) using windows. UDP is also
tracked for the purposes of flowbits. Reassembly occurs
on the default set of client ports (see README.stream5 for
preprocessor stream5_global: track_tcp yes, max_tcp 16184, \
preprocessor stream5_tcp: policy linux, bind_to 192.168.1.0/24
preprocessor stream5_tcp: policy solaris, bind_to 188.8.131.52
preprocessor stream5_tcp: policy windows
2)This example has a specific win2003 server -- perhaps it would
be listed as an IIS server for the http_inspect config, too. :)
Reassembly on ports 137 (DCE) and 80 & 8080 (HTTP). And a solaris
SMTP server, default ports for the client side. Plus remaining
network of linux hosts. Uses the default max_tcp sessions
preprocessor stream5_global: track_tcp yes, track_udp yes
preprocessor stream5_tcp: policy win2003, bind_to 192.168.1.1, \
ports client 137, ports both 80 8080
preprocessor stream5_tcp: policy solaris, bind_to 192.168.1.2, \
ports server 25, ports client
preprocessor stream5_tcp: policy linux, bind_to 192.168.1.0/24,
* Test any configuration option listed in the Stream5 README file.
* Use all protocol analyzers including Frag3, HTTP Inspect, SMTP,
FTP/Telnet, DCE/RPC, etc. as you normally would
* Test Inline and IDS deployments
More information about the Snort-devel