[Snort-devel] Call for Stream5 Testers

Will Metcalf william.metcalf at ...2499...
Mon Jan 22 20:00:32 EST 2007


Do we have any inline reassembly lovin in this release?

Regards,

Will

On 1/22/07, Steven Sturges <steve.sturges at ...402...> wrote:
> Hi Snorters!
>
> With the Snort 2.7.0 Beta1 now available (see www.snort.org for
> details!), we wanted to put out a request for beta testers who
> will specifically look at Stream5.
>
> Since we are all looking to make Snort better, please let us know
> what you are testing.  We want to be sure we have as much coverage
> as possible.
>
>         Your platform: OS (Windows, FC6, Ubuntu 6.06, etc)
>                        prebuilt or built from src tarball
>                        If built from src, your 'configure' line
>         Your configuration (snort.conf, rules)
>
> To be an active participant please email us at snort-beta at ...402...
> with the above information.
>
> If you have any issues, bugs, concerns, etc, please send the above
> information, as well as a traffic capture (pcap/tcpdump format) if
> possible so that we can try to reproduce it quickly.  And don't forget
> that credible bugs lead to Snort goodies!
>
> Here is some additional information specifically relating to
> testing Stream5.
>
>   * Stream5 has a series of target-based policies for reassembly
>     (and handling of various TCP flags, timestamps, etc).  You
>     should disable BOTH Stream4 AND flow preprocessors -- Stream5
>     is designed to replace both of them.  Look at README.stream5 for
>     specific configuration option details and syntax.
>
>     Policies and corresponding OS's are:
>
>         Policy Name     Operating Systems
>         -----------     -----------------
>         bsd             FreeBSD, OpenBSD, etc
>         solaris         Solaris 9, Solaris 10
>         macos           Mac OSX, MacOS 10.4
>         hpux            HPUX-11
>         hpux10          HPUX-10.2
>         linux           Linux Kernel 2.4 & newer
>         old-linux       Linux Kernel 2.2 & earlier
>         windows         Windows 2000, 95, 98, ME, NT, XP
>         win2003         Windows 2003 Server
>         vista           Windows Vista
>         irix            SGI Irix
>
>     Specify the policy name with the policy option and use the bind_to
>     option to tie that policy to the TCP recipient of that packet.
>
>     Examples:
>
>     1)The following example has linux kernels residing on the
>       192.168.1 network, a solaris host on 172.168.1.1, and all
>       others (the 'default' policy) using windows.  UDP is also
>       tracked for the purposes of flowbits.  Reassembly occurs
>       on the default set of client ports (see README.stream5 for
>       details).
>
>         preprocessor stream5_global: track_tcp yes, max_tcp 16184, \
>                 track_udp yes
>         preprocessor stream5_tcp: policy linux, bind_to 192.168.1.0/24
>         preprocessor stream5_tcp: policy solaris, bind_to 172.168.1.1
>         preprocessor stream5_tcp: policy windows
>         preprocessor stream5_udp:
>
>     2)This example has a specific win2003 server  -- perhaps it would
>       be listed as an IIS server for the http_inspect config, too.  :)
>       Reassembly on ports 137 (DCE) and 80 & 8080 (HTTP).  And a solaris
>       SMTP server, default ports for the client side.  Plus remaining
>       network of linux hosts.  Uses the default max_tcp sessions
>       of 8192.
>
>         preprocessor stream5_global: track_tcp yes, track_udp yes
>         preprocessor stream5_tcp: policy win2003, bind_to 192.168.1.1, \
>                 ports client 137, ports both 80 8080
>         preprocessor stream5_tcp: policy solaris, bind_to 192.168.1.2, \
>                 ports server 25, ports client
>         preprocessor stream5_tcp: policy linux, bind_to 192.168.1.0/24,
>                 use_static_footprint_sizes, require_3whs
>         preprocessor stream5_udp:
>
>   * Test any configuration option listed in the Stream5 README file.
>
>   * Use all protocol analyzers including Frag3, HTTP Inspect, SMTP,
>     FTP/Telnet, DCE/RPC, etc. as you normally would
>
>   * Test Inline and IDS deployments
>
>
> Cheers.
> -steve
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>




More information about the Snort-devel mailing list