[Snort-devel] Call for Stream5 Testers
william.metcalf at ...2499...
Mon Jan 22 20:00:32 EST 2007
Do we have any inline reassembly lovin in this release?
On 1/22/07, Steven Sturges <steve.sturges at ...402...> wrote:
> Hi Snorters!
> With the Snort 2.7.0 Beta1 now available (see www.snort.org for
> details!), we wanted to put out a request for beta testers who
> will specifically look at Stream5.
> Since we are all looking to make Snort better, please let us know
> what you are testing. We want to be sure we have as much coverage
> as possible.
> Your platform: OS (Windows, FC6, Ubuntu 6.06, etc)
> prebuilt or built from src tarball
> If built from src, your 'configure' line
> Your configuration (snort.conf, rules)
> To be an active participant please email us at snort-beta at ...402...
> with the above information.
> If you have any issues, bugs, concerns, etc, please send the above
> information, as well as a traffic capture (pcap/tcpdump format) if
> possible so that we can try to reproduce it quickly. And don't forget
> that credible bugs lead to Snort goodies!
> Here is some additional information specifically relating to
> testing Stream5.
> * Stream5 has a series of target-based policies for reassembly
> (and handling of various TCP flags, timestamps, etc). You
> should disable BOTH Stream4 AND flow preprocessors -- Stream5
> is designed to replace both of them. Look at README.stream5 for
> specific configuration option details and syntax.
> Policies and corresponding OS's are:
> Policy Name Operating Systems
> ----------- -----------------
> bsd FreeBSD, OpenBSD, etc
> solaris Solaris 9, Solaris 10
> macos Mac OSX, MacOS 10.4
> hpux HPUX-11
> hpux10 HPUX-10.2
> linux Linux Kernel 2.4 & newer
> old-linux Linux Kernel 2.2 & earlier
> windows Windows 2000, 95, 98, ME, NT, XP
> win2003 Windows 2003 Server
> vista Windows Vista
> irix SGI Irix
> Specify the policy name with the policy option and use the bind_to
> option to tie that policy to the TCP recipient of that packet.
> 1)The following example has linux kernels residing on the
> 192.168.1 network, a solaris host on 126.96.36.199, and all
> others (the 'default' policy) using windows. UDP is also
> tracked for the purposes of flowbits. Reassembly occurs
> on the default set of client ports (see README.stream5 for
> preprocessor stream5_global: track_tcp yes, max_tcp 16184, \
> track_udp yes
> preprocessor stream5_tcp: policy linux, bind_to 192.168.1.0/24
> preprocessor stream5_tcp: policy solaris, bind_to 188.8.131.52
> preprocessor stream5_tcp: policy windows
> preprocessor stream5_udp:
> 2)This example has a specific win2003 server -- perhaps it would
> be listed as an IIS server for the http_inspect config, too. :)
> Reassembly on ports 137 (DCE) and 80 & 8080 (HTTP). And a solaris
> SMTP server, default ports for the client side. Plus remaining
> network of linux hosts. Uses the default max_tcp sessions
> of 8192.
> preprocessor stream5_global: track_tcp yes, track_udp yes
> preprocessor stream5_tcp: policy win2003, bind_to 192.168.1.1, \
> ports client 137, ports both 80 8080
> preprocessor stream5_tcp: policy solaris, bind_to 192.168.1.2, \
> ports server 25, ports client
> preprocessor stream5_tcp: policy linux, bind_to 192.168.1.0/24,
> use_static_footprint_sizes, require_3whs
> preprocessor stream5_udp:
> * Test any configuration option listed in the Stream5 README file.
> * Use all protocol analyzers including Frag3, HTTP Inspect, SMTP,
> FTP/Telnet, DCE/RPC, etc. as you normally would
> * Test Inline and IDS deployments
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
More information about the Snort-devel