[Snort-sigs] What is the FLUSH STREAM (in spp_stream4.c) for?
mkettler at ...189...
Fri Jul 11 09:40:20 EDT 2003
At 03:04 PM 7/11/2003 +0800, =?gb2312?B?1Pgg0KHBog==?= wrote:
> There're a lot of FLUSH STREAM cases in spp_stream4.c. Do you know
> the meaning of that?
I'd assume that FLUSH STREAM flushes the stream.
If you're not familiar with the very common concept of "flushing" it means
to force all buffered data to be processed without further wait. As in the
C library fflush() function, which forces all buffered data associated with
file handle to be written to disk.
In the case of stream4, this preprocessor reassembles data in a TCP stream
that's been split into multiple packets. To do this, stream4 buffers up
data from multiple packets and then pushes them through into the ruleset as
if it were a single TCP frame that contained the data. The act of pushing
all the currently buffered data into the ruleset for processing is
"flushing the stream".
In the particular case you cite, the session is being destroyed by the
issuance of a RST packet. Since the connection is being torn down, all data
should be fed through to the ruleset without further delay, as no more data
can arrive that will actually be used by the destination, so, flush away.
More information about the Snort-sigs