[Snort-sigs] What is the FLUSH STREAM (in spp_stream4.c) for?

Matt Kettler mkettler at ...189...
Fri Jul 11 09:40:20 EDT 2003

At 03:04 PM 7/11/2003 +0800, =?gb2312?B?1Pgg0KHBog==?= wrote:
>    There're  a lot of FLUSH STREAM cases in spp_stream4.c. Do you know 
> the meaning of that?

I'd assume that FLUSH STREAM flushes the stream.

If you're not familiar with the very common concept of "flushing" it means 
to force all buffered data to be processed without further wait. As in the 
C library fflush() function, which forces all buffered data associated with 
file handle to be written to disk.

In the case of stream4, this preprocessor reassembles data in a TCP stream 
that's been split into multiple packets. To do this, stream4 buffers up 
data from multiple packets and then pushes them through into the ruleset as 
if it were a single TCP frame that contained the data. The act of pushing 
all the currently buffered data into the ruleset for processing is 
"flushing the stream".

In the particular case you cite, the session is being destroyed by the 
issuance of a RST packet. Since the connection is being torn down, all data 
should be fed through to the ruleset without further delay, as no more data 
can arrive that will actually be used by the destination, so, flush away.

More information about the Snort-sigs mailing list