[Snort-devel] Stream5 Question

Steven Sturges steve.sturges at ...402...
Mon Jul 7 13:37:38 EDT 2008


Yes, Stream5 has been in use for a fairly significant amount
of time and is just as stable, if not more so than Stream4.

The target-based reassembly is certainly the biggest feature of
Stream5 when compared to Stream4.  It emulates the documented
systems very well in terms of handling overlapping data, resets,
data on SYN, etc.  Stream5 is also better at handling gaps in the
data because of missed packets.

There are a number of other changes/updates in terms of processing
TCP state transitions that are better handled by Stream5.

Stream5 has better performance in terms of caching the TCP segment
data and doing the reassembly itself.

With SnortSP, Stream4 is not supported.  ;)

Cheers.
-steve

snort user wrote:
> Hello and Greetings
> 
> Stream5 has been in snort for quite sometime now, I am assuming that
> it is as stable as stream4
> (correct me if I am wrong)
> 
> Having noted that, what are the features that are present in one and
> not the other?
> 
> The obvious addition in stream5 is the 'target based reassembly'.
> I checked the READMEs and did not find anything else standing out.
> 
> Are there any more features that Stream5 provides that are not there in Stream4?
> Are there any features that are missing in stream5 from stream4?
> 
> Is one (stream4 or stream5) superior to the other from experience?
> 
> Thanks !!
> 
> 
> On Wed, Sep 5, 2007 at 4:03 PM, Steven Sturges
> <steve.sturges at ...402...> wrote:
>> Yes, that is correct.
>>
>> snort user wrote:
>>> And when a reassembly is done, both the reassembled stream as well as
>>> the current packet goes through the matching engine, right ?
>>> (in both modes - window and flush)
>>>
>>>
>>>
>>>
>>> On 9/5/07, Steven Sturges <steve.sturges at ...402...> wrote:
>>>> By deafult Stream5 reassembles every 'n' segments, based on a flush point.
>>>>
>>>> However, any session can be programatically changed/configured to
>>>> use the sliding window policy, which would reassemble with every
>>>> segment along a sliding window that is larger than the flush point.
>>>> Have a look at the stream api header file for details on the
>>>> set_reassembly() function.
>>>>
>>>> Cheers.
>>>> -steve
>>>>
>>>> snort user wrote:
>>>>> Hello and Greetings.
>>>>>
>>>>> Does stream5, in the inline mode, perform reassembly for every tcp
>>>>> segment (with data) ?
>>>>> or is it done every 'n' segments (where n > 1) based on when the flush
>>>>> point is reached ?
>>>>>
>>>>> Thanks
>>>>>
>>>>> -------------------------------------------------------------------------
>>>>> This SF.net email is sponsored by: Splunk Inc.
>>>>> Still grepping through log files to find problems?  Stop.
>>>>> Now Search log events and configuration files using AJAX and a browser.
>>>>> Download your FREE copy of Splunk now >>  http://get.splunk.com/
>>>>> _______________________________________________
>>>>> Snort-devel mailing list
>>>>> Snort-devel at lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>>>
>>> -------------------------------------------------------------------------
>>> This SF.net email is sponsored by: Splunk Inc.
>>> Still grepping through log files to find problems?  Stop.
>>> Now Search log events and configuration files using AJAX and a browser.
>>> Download your FREE copy of Splunk now >>  http://get.splunk.com/
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>
> 
> -------------------------------------------------------------------------
> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
> Studies have shown that voting for your favorite open source project,
> along with a healthy diet, reduces your potential for chronic lameness
> and boredom. Vote Now at http://www.sourceforge.net/community/cca08
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list