[Snort-devel] Stream5 Question

Steven Sturges steve.sturges at ...402...
Wed Sep 5 16:03:05 EDT 2007


Yes, that is correct.

snort user wrote:
> And when a reassembly is done, both the reassembled stream as well as
> the current packet goes through the matching engine, right ?
> (in both modes - window and flush)
> 
> 
> 
> 
> On 9/5/07, Steven Sturges <steve.sturges at ...402...> wrote:
>> By deafult Stream5 reassembles every 'n' segments, based on a flush point.
>>
>> However, any session can be programatically changed/configured to
>> use the sliding window policy, which would reassemble with every
>> segment along a sliding window that is larger than the flush point.
>> Have a look at the stream api header file for details on the
>> set_reassembly() function.
>>
>> Cheers.
>> -steve
>>
>> snort user wrote:
>>> Hello and Greetings.
>>>
>>> Does stream5, in the inline mode, perform reassembly for every tcp
>>> segment (with data) ?
>>> or is it done every 'n' segments (where n > 1) based on when the flush
>>> point is reached ?
>>>
>>> Thanks
>>>
>>> -------------------------------------------------------------------------
>>> This SF.net email is sponsored by: Splunk Inc.
>>> Still grepping through log files to find problems?  Stop.
>>> Now Search log events and configuration files using AJAX and a browser.
>>> Download your FREE copy of Splunk now >>  http://get.splunk.com/
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list