[Snort-devel] Stream5 Question

snort user snort.user at ...2499...
Mon Jul 7 13:16:06 EDT 2008


Hello and Greetings

Stream5 has been in snort for quite sometime now, I am assuming that
it is as stable as stream4
(correct me if I am wrong)

Having noted that, what are the features that are present in one and
not the other?

The obvious addition in stream5 is the 'target based reassembly'.
I checked the READMEs and did not find anything else standing out.

Are there any more features that Stream5 provides that are not there in Stream4?
Are there any features that are missing in stream5 from stream4?

Is one (stream4 or stream5) superior to the other from experience?

Thanks !!


On Wed, Sep 5, 2007 at 4:03 PM, Steven Sturges
<steve.sturges at ...402...> wrote:
> Yes, that is correct.
>
> snort user wrote:
>> And when a reassembly is done, both the reassembled stream as well as
>> the current packet goes through the matching engine, right ?
>> (in both modes - window and flush)
>>
>>
>>
>>
>> On 9/5/07, Steven Sturges <steve.sturges at ...402...> wrote:
>>> By deafult Stream5 reassembles every 'n' segments, based on a flush point.
>>>
>>> However, any session can be programatically changed/configured to
>>> use the sliding window policy, which would reassemble with every
>>> segment along a sliding window that is larger than the flush point.
>>> Have a look at the stream api header file for details on the
>>> set_reassembly() function.
>>>
>>> Cheers.
>>> -steve
>>>
>>> snort user wrote:
>>>> Hello and Greetings.
>>>>
>>>> Does stream5, in the inline mode, perform reassembly for every tcp
>>>> segment (with data) ?
>>>> or is it done every 'n' segments (where n > 1) based on when the flush
>>>> point is reached ?
>>>>
>>>> Thanks
>>>>
>>>> -------------------------------------------------------------------------
>>>> This SF.net email is sponsored by: Splunk Inc.
>>>> Still grepping through log files to find problems?  Stop.
>>>> Now Search log events and configuration files using AJAX and a browser.
>>>> Download your FREE copy of Splunk now >>  http://get.splunk.com/
>>>> _______________________________________________
>>>> Snort-devel mailing list
>>>> Snort-devel at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>>
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc.
>> Still grepping through log files to find problems?  Stop.
>> Now Search log events and configuration files using AJAX and a browser.
>> Download your FREE copy of Splunk now >>  http://get.splunk.com/
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>




More information about the Snort-devel mailing list