[Snort-users] Stream5 question

tung tran tunghack at ...11827...
Tue Apr 8 02:29:25 EDT 2008


Hi all,
I should also mention that I tested this issue with the newest version
of Snort. However, I had to send the packet (with invalid sequence and
ack numbers) repeatedly 3 times (to Snort) before Snort passed one of
the packets down to the detection engine ( I wrote a rule to check
this)
Thanks,

On Tue, Apr 8, 2008 at 2:12 AM, tung tran <tunghack at ...11827...> wrote:
> Hi all,
>  My question is: "is is true that even though Stream5 preprocessor is
>  on (with necessary directives set), Snort always passes a packet down
>  to the detection engine even though the packet has invalid sequence
>  number/ acknowledge number which is not expected by the receiver and
>  the packet is normally discarded by the receiver ?". Is there a way to
>  tell Snort not to passes packets with invalid sequence/acknowledge
>  numbers down to the detection engine? I tested this with the newest
>  version of Snort.
>  Thanks,
>  Tung.
>




More information about the Snort-users mailing list