[Snort-sigs] About content field.. (stream4 flushing behaviors)
mkettler at ...189...
Wed Apr 7 17:22:16 EDT 2004
At 03:43 PM 4/7/2004, Frank Meerkoetter wrote:
>Till now i thought stream4 would broadly operate in the following way:
> a) Gather the data transmitted within a tcp connection.
> b) At a certain point reassemble the data into a fake segment.
> The point is choosen at random, but bounded by memory
> c) Do further processing for the fake packet.
>Is this an incorrect assumption?
Hmm, I looked at it and you are correct, flushing is somewhat random.
However, it would appear that for decent-sized TCP frames, the data will
flush every time an ack comes back.
Looking at the flush point table, (2.1.0 code) all the flush points are
rather small, all in the 100-250 byte range.
It seems to check if it should perform these flushes after data is
acknowledged by the other side.
So, unless fewer than "flush_point" bytes are acknowledged, an ack packet
from the other side will cause stream4 to flush.
Given that "flush_point" ranges are in the handfuls of hundreds of bytes,
for most "middle of a long transfer" type TCP flows every ack will cause a
Socket closure, reset, or memory limits also appear to cause flushing.
More information about the Snort-sigs