[Snort-devel] Call for Stream5 Testers

Justin Heath justin.heath at ...2499...
Mon Jan 22 20:57:38 EST 2007

In addition to Steve's comments I would like to add the following.

Beta 1 binaries for FC6, RHEL4 and Win32 are available at the
following location:


When sending in a bug report please include the following files
(tar.bz2 for *nix and zip format for win32 is preferred)

config.log (if you built from source)
pcap (applicable for runtime bugs, please set snaplen to 0 when capturing)
core file (if Snort segfaults)

Here are a couple of tips when running Beta 1.

Make sure the number of alerts correspond with your environment.
Run the stable version of Snort ( side by side for comparison.
Keep any eye on CPU and memory statistics.

Remember, Snort's behaviour can be very specific to your environment.
So, now is the time to make sure Snort works for you. With big changes
like Stream5 any amount of testing can be helpful, if you can only
fire up the beta for an hour in your environment that can still be
useful. With tarballs and binaries available this should be in reach
for most everyone at any skill level.

Justin Heath

On 1/22/07, Steven Sturges <steve.sturges at ...402...> wrote:
> Hi Snorters!
> With the Snort 2.7.0 Beta1 now available (see www.snort.org for
> details!), we wanted to put out a request for beta testers who
> will specifically look at Stream5.
> Since we are all looking to make Snort better, please let us know
> what you are testing.  We want to be sure we have as much coverage
> as possible.
>         Your platform: OS (Windows, FC6, Ubuntu 6.06, etc)
>                        prebuilt or built from src tarball
>                        If built from src, your 'configure' line
>         Your configuration (snort.conf, rules)
> To be an active participant please email us at snort-beta at ...402...
> with the above information.
> If you have any issues, bugs, concerns, etc, please send the above
> information, as well as a traffic capture (pcap/tcpdump format) if
> possible so that we can try to reproduce it quickly.  And don't forget
> that credible bugs lead to Snort goodies!
> Here is some additional information specifically relating to
> testing Stream5.
>   * Stream5 has a series of target-based policies for reassembly
>     (and handling of various TCP flags, timestamps, etc).  You
>     should disable BOTH Stream4 AND flow preprocessors -- Stream5
>     is designed to replace both of them.  Look at README.stream5 for
>     specific configuration option details and syntax.
>     Policies and corresponding OS's are:
>         Policy Name     Operating Systems
>         -----------     -----------------
>         bsd             FreeBSD, OpenBSD, etc
>         solaris         Solaris 9, Solaris 10
>         macos           Mac OSX, MacOS 10.4
>         hpux            HPUX-11
>         hpux10          HPUX-10.2
>         linux           Linux Kernel 2.4 & newer
>         old-linux       Linux Kernel 2.2 & earlier
>         windows         Windows 2000, 95, 98, ME, NT, XP
>         win2003         Windows 2003 Server
>         vista           Windows Vista
>         irix            SGI Irix
>     Specify the policy name with the policy option and use the bind_to
>     option to tie that policy to the TCP recipient of that packet.
>     Examples:
>     1)The following example has linux kernels residing on the
>       192.168.1 network, a solaris host on, and all
>       others (the 'default' policy) using windows.  UDP is also
>       tracked for the purposes of flowbits.  Reassembly occurs
>       on the default set of client ports (see README.stream5 for
>       details).
>         preprocessor stream5_global: track_tcp yes, max_tcp 16184, \
>                 track_udp yes
>         preprocessor stream5_tcp: policy linux, bind_to
>         preprocessor stream5_tcp: policy solaris, bind_to
>         preprocessor stream5_tcp: policy windows
>         preprocessor stream5_udp:
>     2)This example has a specific win2003 server  -- perhaps it would
>       be listed as an IIS server for the http_inspect config, too.  :)
>       Reassembly on ports 137 (DCE) and 80 & 8080 (HTTP).  And a solaris
>       SMTP server, default ports for the client side.  Plus remaining
>       network of linux hosts.  Uses the default max_tcp sessions
>       of 8192.
>         preprocessor stream5_global: track_tcp yes, track_udp yes
>         preprocessor stream5_tcp: policy win2003, bind_to, \
>                 ports client 137, ports both 80 8080
>         preprocessor stream5_tcp: policy solaris, bind_to, \
>                 ports server 25, ports client
>         preprocessor stream5_tcp: policy linux, bind_to,
>                 use_static_footprint_sizes, require_3whs
>         preprocessor stream5_udp:
>   * Test any configuration option listed in the Stream5 README file.
>   * Use all protocol analyzers including Frag3, HTTP Inspect, SMTP,
>     FTP/Telnet, DCE/RPC, etc. as you normally would
>   * Test Inline and IDS deployments
> Cheers.
> -steve
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

More information about the Snort-devel mailing list