[Snort-sigs] stream5 and use_static_footprint_sizes

Guise McAllaster guise.mcallaster at ...2420...
Tue Dec 8 10:53:37 EST 2009


Todd,

Thanks for this response, I really appreciate it.  From what you say and
what I have reads, it seems that using use_static_footprint_sizes is not
recommended.  However, I am puzzled because I just did a generic snort
install (using Ubuntu and apt-get) and I notice that
use_static_footprint_sizes IS enabled.  But why?

--Guise

On Mon, Dec 7, 2009 at 10:36 PM, Todd Wease <twease at ...435...> wrote:

> Guise McAllaster wrote:
> > Hi,
> >
> > I inherited some snorts and noticed that they all had the
> > 'use_static_footprint_sizes' option enabled for the streams5
> > preprocessor.  Can someone please give me more info about this.  I am
> > reading in the manual where it recommends not to have this turned on
> > in production but it looks like a lot of people use it.  Why?
> >
> > The README says it emulates stream4 flushing of reassembled packets
> > but I still do not know what this means.
> >
> > Thx.
> >
> > --Guise
>
> It's really only good for testing against pcaps, in that consistent
> results can be gotten on multiple runs since the flush points will be
> the same each time and hence segmented streams will always be
> reassembled the same way.
>
> Note that stream will gather segments, handle overlaps and such, then at
> some point "reassemble" those segments and send that packet through the
> preprocessors and detection engine.
>
> I would recommend not using "use_static_footprint_sizes" in a production
> environment, since you don't want to give an attacker a chance to
> segment a stream such that the segments of an attack will span flush
> points.  Maybe not easy for an attacker to do, but still good to
> randomize the flush points here.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20091208/5c04dbb7/attachment.html>


More information about the Snort-sigs mailing list