[Snort-sigs] stream5 and use_static_footprint_sizes

Todd Wease twease at ...435...
Mon Dec 7 17:36:46 EST 2009

Guise McAllaster wrote:
> Hi,
> I inherited some snorts and noticed that they all had the
> 'use_static_footprint_sizes' option enabled for the streams5
> preprocessor.  Can someone please give me more info about this.  I am
> reading in the manual where it recommends not to have this turned on
> in production but it looks like a lot of people use it.  Why?
> The README says it emulates stream4 flushing of reassembled packets
> but I still do not know what this means.
> Thx.
> --Guise

It's really only good for testing against pcaps, in that consistent
results can be gotten on multiple runs since the flush points will be
the same each time and hence segmented streams will always be
reassembled the same way.

Note that stream will gather segments, handle overlaps and such, then at
some point "reassemble" those segments and send that packet through the
preprocessors and detection engine.

I would recommend not using "use_static_footprint_sizes" in a production
environment, since you don't want to give an attacker a chance to
segment a stream such that the segments of an attack will span flush
points.  Maybe not easy for an attacker to do, but still good to
randomize the flush points here.

More information about the Snort-sigs mailing list