[Snort-sigs] stream5 and use_static_footprint_sizes

Matt Olney molney at ...435...
Tue Dec 8 11:07:15 EST 2009


Guise,

I'll check with Brian, who manages the open snort config file and see whats
up.

Matt

On Tue, Dec 8, 2009 at 10:53 AM, Guise McAllaster <
guise.mcallaster at ...2420...> wrote:

> Todd,
>
> Thanks for this response, I really appreciate it.  From what you say and
> what I have reads, it seems that using use_static_footprint_sizes is not
> recommended.  However, I am puzzled because I just did a generic snort
> install (using Ubuntu and apt-get) and I notice that
> use_static_footprint_sizes IS enabled.  But why?
>
> --Guise
>
>
> On Mon, Dec 7, 2009 at 10:36 PM, Todd Wease <twease at ...435...> wrote:
>
>> Guise McAllaster wrote:
>> > Hi,
>> >
>> > I inherited some snorts and noticed that they all had the
>> > 'use_static_footprint_sizes' option enabled for the streams5
>> > preprocessor.  Can someone please give me more info about this.  I am
>> > reading in the manual where it recommends not to have this turned on
>> > in production but it looks like a lot of people use it.  Why?
>> >
>> > The README says it emulates stream4 flushing of reassembled packets
>> > but I still do not know what this means.
>> >
>> > Thx.
>> >
>> > --Guise
>>
>> It's really only good for testing against pcaps, in that consistent
>> results can be gotten on multiple runs since the flush points will be
>> the same each time and hence segmented streams will always be
>> reassembled the same way.
>>
>> Note that stream will gather segments, handle overlaps and such, then at
>> some point "reassemble" those segments and send that packet through the
>> preprocessors and detection engine.
>>
>> I would recommend not using "use_static_footprint_sizes" in a production
>> environment, since you don't want to give an attacker a chance to
>> segment a stream such that the segments of an attack will span flush
>> points.  Maybe not easy for an attacker to do, but still good to
>> randomize the flush points here.
>>
>
>
>
> ------------------------------------------------------------------------------
> Return on Information:
> Google Enterprise Search pays you back
> Get the facts.
> http://p.sf.net/sfu/google-dev2dev
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20091208/861ec37d/attachment.html>


More information about the Snort-sigs mailing list