[Snort-devel] Regarding Stream6 preprocessor

Sherlock Holmes sherlockholmessh56 at ...2499...
Wed May 3 07:55:24 EDT 2017

Hello Snort aficionados,

I have a few questions on the Stream6 preprocessor. I'm a complete newbie
and i hope you'll pardon my ignorance. Also, this is my first query to the
open source community. I am not sure of the etiquette followed. I'm all

I understand the intent of this input plugin. It is needed for TCP
reassembly, among other things.

1. Would it be possible to bypass this preprocessor altogether for TCP
traffic if it is absolutely certain that snort will always receive in-order
TCP segments with no overlap ( i won't get into how that is possible now ) ?

2. Here is the code flow:

                            AddStreamNode()  ---- Internally does a calloc
of 'StreamSegment'.
        CheckFlushPolicyOnData() -----|
        CheckFlushPolicyOnAck()----These two checks are for the PAF and to
do a 'flush'.

If I were to skip CheckFlushPolicyOnAck(), would that effect in any dire

3. 'Packet' is snort's abstraction of a packet, like we have sk_buff in
Linux Kernel and mbuf in FreeBSD. So what is the intent of doing another
calloc of 'StreamSegment' for every packet, when we already have the
'Packet' structure? This 'StreamSegment' is again merged into 'Packet' when
doing a flush.

4. Flushing happens in a do-while loop in  _flush_to_seq(). It is
specifically this code chunk within the do-while that sends the packet

_flush_to_seq() {


A call to Preprocess sends the packet to the next preprocessor. So, if the
flush were to happen after 5 'StreamSegment's were queued , does it mean
that the 'Packet' that gets forwarded ( for instance, FlushStream() builds
the packet from StreamSegments ) is a single one in lieu of 5?

Would highly appreciate any inputs. Thanks for your time.

Much obliged,
- S
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20170503/53cddc8d/attachment.html>

More information about the Snort-devel mailing list